Secure At001 - en P

CIP Security with Rockwell
Automation Products
Application Technique Original Instructions

CIP Security with Rockwell Automation Products Application Technique
Important User Information

Read this document and the documents listed in the additional resources section about installation, configuration, and
operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize
themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.
Activities including installation, adjustments, putting into service, use, assembly, disassembly, and maintenance are required to
be carried out by suitably trained personnel in accordance with applicable code of practice.
If this equipment is used in a manner not specified by the manufacturer, the protection provided by the equipment may be
impaired.
In no event will Rockwell Automation, Inc. be responsible or liable for indirect or consequential damages resulting from the use
or application of this equipment.
The examples and diagrams in this manual are included solely for illustrative purposes. Because of the many variables and
requirements associated with any particular installation, Rockwell Automation, Inc. cannot assume responsibility or liability for
actual use based on the examples and diagrams.
No patent liability is assumed by Rockwell Automation, Inc. with respect to use of information, circuits, equipment, or software
described in this manual.
Reproduction of the contents of this manual, in whole or in part, without written permission of Rockwell Automation, Inc., is
prohibited.
Throughout this manual, when necessary, we use notes to make you aware of safety considerations.
WARNING: Identifies information about practices or circumstances that can cause an explosion in a hazardous environment, which
may lead to personal injury or death, property damage, or economic loss.
ATTENTION: Identifies information about practices or circumstances that can lead to personal injury or death, property
damage, or economic loss. Attentions help you identify a hazard, avoid a hazard, and recognize the consequence.
IMPORTANT Identifies information that is critical for successful application and understanding of the product.
These labels may also be on or inside the equipment to provide specific precautions.
SHOCK HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that dangerous
voltage may be present.
BURN HAZARD: Labels may be on or inside the equipment, for example, a drive or motor, to alert people that surfaces may
reach dangerous temperatures.
ARC FLASH HAZARD: Labels may be on or inside the equipment, for example, a motor control center, to alert people to potential
Arc Flash. Arc Flash will cause severe injury or death. Wear proper Personal Protective Equipment (PPE). Follow ALL Regulatory
requirements for safe work practices and for Personal Protective Equipment (PPE).
The following icon may appear in the text of this document.
Identifies information that is useful and can help to make a process easier to do or easier to understand.
2 Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022

Table of Contents
Preface ................................................................. 7
Summary of Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 1
Industrial Security Overview Industrial Automation Control Systems Environment . . . . . . . . . . . . . . . 9
Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Vulnerability and Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Security Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Defense in Depth Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
CIP Security is an ODVA Standard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Device Identity/Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Secure Data Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 2
CIP Security-capable Rockwell Software and Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Automation Products CIP Security Software Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
CIP Security-capable Hardware Devices . . . . . . . . . . . . . . . . . . . . . . . 19
Use Non-CIP Security-capable Controllers with
CIP Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Benefits of Using Rockwell Automation Products . . . . . . . . . . . . . . . . . . 21
CIP Security Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Security Profile and Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
CIP Security Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Security Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Zone Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Conduit Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Limitations and Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Devices That Support DLR/Linear and Dual-IP
EtherNet/IP Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Initial Security Model Deployment Fails If
ControlLogix 5580 Controller is in Run Mode. . . . . . . . . . . . . . . . . . . 30
Cannot Download to ControlLogix 5580 Controller
from Unsecure Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Workstation Cannot Download to a Secured
ControlLogix 5580 Controller if Security Policies Do
Not Match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Secure the Programming Connection to Redundant
ControlLogix 5580 Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022 3

Table of Contents
Secure the Programming Connection to the

CompactLogix 5380 Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Policy Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
CIP Bridging Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Use of I/O Connections in Redundancy Configuration . . . . . . . . . . 41
Automatic Device Configuration (ADC). . . . . . . . . . . . . . . . . . . . . . . . 41
Disable CIP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Add Legacy Devices to the Security Model . . . . . . . . . . . . . . . . . . . . . . 42
RSLinx Classic Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Chapter 3
CIP Security Design and Install the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Implementation Process Identify CIP Security-capable and CIP Security-enabled
Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Unsecure Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Identify, Organize, and Create Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Create a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configure the Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Identify, Organize, and Create Conduits . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Create a Conduit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Configure the Conduit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Identify and Create Security Features/Policies . . . . . . . . . . . . . . . . . . . . . 57
Deploy Security Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Back Up the Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Save Security Model Backup to Another Secure Location . . . . . . . . 62
Different From FactoryTalk Directory Backup File . . . . . . . . . . . . . . 62
Restore FactoryTalk System Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Remove the Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Remove the Security Policy From a Software Application . . . . . . . . 64
Remove the Security Policy From a Device . . . . . . . . . . . . . . . . . . . . . 68
Set Mask Parameters on PowerFlex 755T Drives to
Maintain Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Device Peripheral Interface (DPI) Ports . . . . . . . . . . . . . . . . . . . . . . . . 72
Setting Masks to Secure the DPI Ports . . . . . . . . . . . . . . . . . . . . . . . . . 73
Use Syslog with CIP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Syslog Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Define Event Policy in FactoryTalk Policy Manager . . . . . . . . . . . . . 75
Facility Codes and Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Syslog Message List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Table of Contents
Chapter 4
CIP Security Implementation Phase One of Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Example Architecture Create Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Create Zone-to-Zone Conduits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Configure Conduit Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Deploy Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Phase Two of Implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Create a Device-to-Device Conduit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Create a Zone-to-Device Conduit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Create Conduit Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Deploy Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Chapter 5
Add or Replace A Device In a CIP Automatic Policy Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Security System Enable Automatic Policy Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . 90
Deployment Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Merging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Disable Automatic Policy Deployment in a Device . . . . . . . . . . . . . . 97
Disable Automatic Policy Deployment in FactoryTalk
Policy Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Firmware Revision Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Benefits of Automatic Policy Deployment . . . . . . . . . . . . . . . . . . . . . 100
Add a New Device That Supports Automatic Policy
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
New Device is Not in the Security Policy Model . . . . . . . . . . . . . . . . 101
New Device is in the Security Policy Model . . . . . . . . . . . . . . . . . . . . 102
Replace a Device That Supports Automatic Policy
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Replacement Device is Not Identical to the
Existing Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Replacement Device is Identical to the Existing Device . . . . . . . . . 104
Devices That Do Not Support Automatic Policy Deployment . . . . . . . 105
Add a Device That Does Not Support APD to an Existing
CIP Security System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Replace a Secured Device That Does Not Support APD
in an Existing System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Table of Contents
Appendix A
CIP Security Compatibility Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Logix Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
ControlLogix 5580 and 5570 Controller Redundancy . . . . . . . . . . . . . . . 109
Other Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Appendix B
History of Changes SECURE-AT001B-EN-P, August 2021. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Preface
This manual explains how to implement the Common Industrial Protocol

(CIP™) Security standard in your industrial automation control system (IACS).
The term CIP Security™ is used throughout the rest of this manual.
Make sure that you are familiar with the following before you use this manual:
• Basic understanding of EtherNet/IP™ networking fundamentals
• Basic understanding of network security terminology and concepts
• Use of Rockwell Automation® software, for example:
- FactoryTalk® Policy Manager
- FactoryTalk Linx
- Studio 5000 Logix Designer®
Summary of Changes This table contains the changes that are made to this revision of
the publication. Change bars indicate changes throughout the publication.
Topic Page
Added information about the following products that you can use with CIP Security
• Armor™ PowerFlex® Variable Frequency Drives (VFD)
• CompactLogix™ 5380 Controllers
• Compact GuardLogix® 5380 Controllers Throughout
• ControlLogix 5580 Process Controllers
• GuardLogix 5580 Controllers
• PowerFlex 755TS Drives
Added section Use Non-CIP Security-capable Controllers with CIP Security 20
Change Allowed to AllowedList as appropriate 21
Added a table to define icons that had not previously been defined 22
Changed section Dual-port Devices to Devices That Support DLR/Linear and Dual-IP EtherNet/IP 28
Modes and added content
Added information on how to Secure the Programming Connection to Redundant ControlLogix 32
5580 Controllers
Added information on how to Secure the Programming Connection to the CompactLogix 5380 34
Controllers
Updated the description of CIP Bridging, including changing the name to Policy Provisioning 36
Added information on CIP Bridging Control 38
Updated the description of how to use I/O connections in Redundancy Systems 41
Added description of Automatic Device Configuration (ADC) 41
Added description of how to disable CIP Security 41
Added description of how to add legacy devices to the security model 42
Added description of how to Identify CIP Security-capable and CIP Security-enabled Devices 44
Added description of Unsecure Device Management 45
Added information to section Identify, Organize, and Create Zones 45
Added information to section Back Up the Security Model 62
Add information on how Set Mask Parameters on PowerFlex 755T Drives to Maintain Security 72
Added information on how to Use Syslog with CIP Security 75
Added Chapter 5, Add or Replace A Device In a CIP Security System with the following sections:
• Automatic Policy Deployment 89
• Add a New Device That Supports Automatic Policy Deployment 101
• Replace a Device That Supports Automatic Policy Deployment 103
• Devices That Do Not Support Automatic Policy Deployment 105
Added a CIP Security Compatibility section 107
Added a History of Changes section 111

Additional Resources These documents contain additional information concerning related products
from Rockwell Automation.
Resource Description
FactoryTalk Policy Manager Getting Results Guide, publication FTALK-GR001. Describes how to install and use FactoryTalk System Services and FactoryTalk Policy Manager.
FactoryTalk Security System Configuration Guide Quick Start, publication FTSEC- Describes how to use FactoryTalk Services Platform with FactoryTalk Security.
QS001
Deploying CIP Security within a Converged Plantwide Ethernet Architecture Describes security architecture use cases for designing and deploying CIP Security technology
Design Guide, publication ENET-TD022 across plant-wide or site-wide Industrial Automation and Control System (IACS) applications.
Describes guidelines for how to use Rockwell Automation products to improve the security of
System Security Design Guidelines Reference Manual, publication SECURE-RM001 your industrial automation system.
Provides basic information on how to install, configure, and program, the Armor PowerFlex
Armor PowerFlex User Manual, publication 35-UM001 drives.
CompactLogix 5380 and Compact GuardLogix 5380 Controllers User Manual, Describes how to design, implement, and maintain an industrial control system that uses
publication 5069-UM001 CompactLogix or Compact GuardLogix-based controllers.
ControlLogix 5580 and GuardLogix 5580 Controllers User Manual, publication Describes how to design, implement, and maintain an industrial control system that uses
1756-UM543 ControlLogix® or GuardLogix®-based controllers.
Describes how to use ControlLogix EtherNet/IP communication modules with a Logix 5000™
ControlLogix EtherNet/IP Network Devices User Manual, publication 1756-UM004 controller and communicate with devices on the Ethernet/IP network.
Describes how to use Kinetix® 5700 drive system with associated power supplies, single-axis
Kinetix 5700 Servo Drives User Manual, publication 2198-UM002 inverters, dual-axis inverters, and accessory modules in a Logix 5000 control system.
PowerFlex Drives with TotalFORCE Control Programming Manual, publication 750- Provides detailed information on startup, control algorithms, and status indicators.
PM101
Describes how to use a Kinetix 5300 drive system with associated power supplies and accessory
Kinetix 5300 Servo Drives User Manual, publication 2198-UM005 modules in a Logix 5000 control system.
CIP Security Proxy User Manual, publication 1783-UM013 Describes how to use a CIP Security Proxy to provide secure communication for non-CIP
Security-capable devices.
Industrial Components Preventive Maintenance, Enclosures, and Contact Ratings Provides a quick reference tool for Allen-Bradley industrial automation controls and assemblies.
Specifications, publication IC-TD002
Designed to harmonize with NEMA Standards Publication No. ICS 1.1-1987 and provides general
Safety Guidelines for the Application, Installation, and Maintenance of Solid-state guidelines for the application, installation, and maintenance of solid-state control in the form of
Control, publication SGI-1.1 individual devices or packaged assemblies incorporating solid-state components.
Industrial Automation Wiring and Grounding Guidelines, publication 1770-4.1 Provides general guidelines for installing a Rockwell Automation industrial system.
Product Certifications website, rok.auto/certifications. Provides declarations of conformity, certificates, and other certification details.
You can view or download publications at rok.auto/literature.

Chapter 1
Industrial Security Overview
This section provides an overview of CIP Security™.
Industrial Automation Historically, industrial automation control systems (IACS) have been air-
Control Systems gapped environments, isolated systems that are running proprietary control
protocols. But IACS networks are evolving toward smart manufacturing.
Environment
Smart manufacturing represents a gateway to digital transformation that
connects plant-level and enterprise networks, and securely connects people,
processes, and technologies.
Collectively, this opens new windows to connected smart devices for visibility
into processes, data, and analytics. The visibility enables better and faster
decision-making and seamless connectivity for remote locations.
As EtherNet/IP™ becomes a growing standard, evolving these isolated IACS

networks towards smart manufacturing, network convergence, and industrial
security become a necessity.
Security Threats As IACS networks transition to open standards of Ethernet-media and

Internet Protocol (IP) to meet the needs of end-to-end connectivity of entities,
the threat landscape broadens.
With an increase of smart devices and end-to-end connectivity come more
assets to protect and a greater risk of security threats.
Security risks can take many forms, for example:
• Threat actors that try to gain unauthorized, and undetected, access to an
IACS network with the intention to commit malicious acts.
• Well-intentioned personnel with no malicious intention but who make
mistakes that can result in unintended consequences.
IMPORTANT This publication focuses on threat actors with malicious intentions, also
called attackers. The word attacker is used throughout the rest of the
publication.
In this publication, attacker refers to a range from one individual or to an
Advanced Persistent Threat (APT), that is, or a group of attackers working
collectively.

Chapter 1 Industrial Security Overview
Vulnerability and Exploits By default, IACS communication protocols are proprietary and insecure. They
lack the security properties such as authentication, integrity, and
confidentiality. As a result, data and endpoints are at risk. These security
properties are necessary for IACS devices to defend themselves against a
network-based attack.
Insecure communication protocols can be exploited to make data accessible

for anyone to collect, and vulnerable endpoints can become open targets for
denial-of-service (DoS) and other types of attacks.
When attackers access a system, they use many ways to exploit the IACS
communication protocol vulnerabilities.
Table 1 - Attack Types
Attack Type Description
DoS An attacker executes a DoS attack that

(Unauthorized Open Access) renders the CIP™ device inoperable.
EtherNet/IP Logix5585 TM
DC INPUT
SAFETY ON
NET
0000 LINK
LNK1 LNK2 NET OK

RUN FORCE SD OK
The attacker eavesdrops on data in transit

Man-in-the-Middle to alter the communication between CIP™
devices.
DC INPUT
SAFETY ON
NET
0000 LINK
LNK1 LNK2 NET OK

RUN FORCE SD OK
The attacker monitors or views sensitive or

Monitor Data classified data that is exchanged between
CIP devices.
DC INPUT
SAFETY ON
NET
0000 LINK
LNK1 LNK2 NET OK

RUN FORCE SD OK

Security Assessment Getting a security assessment is the starting point for any security
implementation. An assessment provides a picture of your current security
posture and what mitigation techniques that can be used to achieve an
acceptable risk state.
An assessment is a collaborative process, between Operational Technology
(OT) and Information Technology (IT) personnel to maximize the protection
of confidentiality, integrity, and availability while still providing functionality
and usability.
There are three steps to perform a security assessment.

1. Conduct a threat assessment.
A threat assessment considers a range of threats from natural, criminal,
terrorist, to accidental for a given facility/location. Based on business
requirements, a company should evaluate the likelihood for each threat.
2. Perform a vulnerability assessment.
A vulnerability assessment is designed to identify methods by which the
threats can be exploited and to provide recommendations on how to
address these vulnerabilities.
Each vulnerability should be rated for the probability or ease of
exploitation and the resulting impact in terms of cost or injury should
the exploit be successful. This establishes a risk score for each
vulnerability.
3. Perform a risk assessment.
A risk assessment evaluates the risk scores and assigns responses to each
risk. One of the following actions should be taken for each risk:
- Mitigated - A mitigated risk requires an explanation of what was done
to help prevent the vulnerability from being exploited.
- Terminated - A terminated risk requires an explanation of what was
removed or disabled to help prevent the vulnerability from being
exploited.
- Transferred - A transferred risk requires an explanation of what is
being done outside this system to help prevent or respond to the
vulnerability being exploited.
- Accepted - An accepted risk requires notation of the authority
accepting the risk.
Accurately assessing threats and identifying vulnerabilities is critical to
understanding the risk to your IACS assets.

Defense in Depth Industrial security is best implemented as a complete system across your
Architecture operations. The defense in depth (DiD) approach is common to
security standards.
The DiD security approach establishes multiple layers of protection that are
based on diverse technologies through physical, electronic, and procedural
safeguards.
For example, you restrict physical access to managed switches with port locks.
Then you position edge industrial firewalls to restrict access and block
unapproved traffic flows. Finally, you employ an industrial demilitarized zone
(IDMZ) as a perimeter buffer zone between the Industrial and Enterprise
zones. The IDMZ lets secure data sharing and services take place without
direct connection.
The following are key tenets of the DiD security approach:

• Multiple layers of security are more resilient to attack
• Each layer adds to the one above it
• It does not replace the need for firewalls or other security infrastructure
in a system.
The expectation of the DiD approach is that in the event that an attacker
breaches one layer of defense, there’s always an additional layer that thwarts
their effort.
Figure 1 - Defense in Depth Architecture
Policies,
Procedures,
Physical
Physical
Network
Computer
Application
Device

CIP Security is an As attackers become more sophisticated and network convergence opens more
ODVA Standard potential gateways to industrial zones, CIP-connected devices must be able to
defend themselves.
Recognizing the need for CIP-connected device protection, ODVA developed

CIP Security. It’s an open-standard secure communication mechanism for
EtherNet/IP™ networks.
The following CIP Security properties are countermeasures that address the
security risks:
• Device identity and authentication
• Data integrity and authentication
• Data confidentiality (encryption)
Positioned at the device-level in the DiD architecture, CIP Security enables

CIP-connected devices to authenticate each other before transmitting and
receiving data. Device connectivity is limited to only trusted devices.
Optionally, to increase the overall device security posture, it can be combined

with data integrity to guard against packet tampering and message encryption
to avert unwanted data reading and disclosure.
Figure 2 - CIP Security As Part of Defense in Depth Architecture
Policies,
Procedures,
Physical
Physical
Network
CIP Security is positioned at

Computer
the device-level of the DiD
architecture.
Application
CIP Security-
enabled Device

Device Identity/Authentication
Before devices start communicating, each device must be able to verify that the
identity of the device with which it wants to communicate is authentic. This
protects legitimate devices from a rogue device gaining access to the system by
pretending to be a system component.
To build this endpoint trust, a certificate or pre-shared (secret) key can be used
to provide identity to the device:
• Certificate is used to provide identity based on the X.509v3 standard.
Certificates are an agreement between communicating parties and a
common entity that is called a Certificate Authority (CA). A trusted CA
signs and issues certificates to requesters to prove their identities.
Mutual trust can be established when communicating parties exchange
certificates signed by a common CA.
FactoryTalk® System Services is the certificate authority. It is the service
that signs and issues certificates to give assurance for a communicating
party's authenticity.
An advantage to using certificates is that they provide a greater level
security than pre-shared keys.
• Pre-shared keys are used to prove identity that is based on keys that are
shared in advance among the communicating parties.
Pre-shared keys are agreement between two entities to the parameters
that determine identity and authentication. The entities are the devices
that communicate with each other.
An advantage to using pre-shared keys is that they provide less
performance impact on when establishing connections.
IMPORTANT Devices can only use one pre-shared key, as a result, any conduits that are required between any Zones that are configured
with pre-shared key must be created using Trusted IP.

Secure Data Transport

CIP Security is based on Transport Layer Security (TLS) (RFC 5246) and
Datagram Transport Layer Security (DTLS) (RFC 6347) protocols to protect
EtherNet/IP data while in transit.
TLS and DTLS are network protocols that facilitate data transfer privately and
securely between an originator and a target device.
TLS provides the following security properties:

• Authentication - Allows each device to confirm their identity through
certificate exchange or pre-shared keys
• Integrity - Makes sure that the data has not been tampered with, or
falsified, while in transit, with TLS Hash-based Message Authentication
Code (HMAC)
• Confidentiality - Data is encrypted while being transmitted between the
originator and target device. Encrypting the data helps prevent
unauthorized parties from reading it.
DTLS is based on TLS but is used for User Datagram Protocol (UDP)
connections instead of Transmission Control Protocol (TCP) connections.
For complete descriptions of the security properties, see the ODVA home page
available at: https://www.odva.org/.
Table 2 defines the icons that are used in Table 3 on page 16.
Table 2 - CIP Security Icons
Name Symbol Definition
An electronic representation of an identity. A certificate binds the identity’s public key to its identifiable information, such as,
Certificate name, organization, email, user name, and/or a device serial number.
This certificate is used to authenticate a connection to a zone or device. Selected by default when CIP Security is enabled.
A secret that is shared among trusted entities to represent identities. FactoryTalk® Policy Manager can create a key that can be
Pre-shared key shared.
Integrity Checks whether data was altered and whether the data was sent by a trusted entity. Altered and/or untrusted data is rejected.
Check mark Symbol used to indicate that the endpoints for communication between devices have been authenticated and can be trusted.
Encryption Encodes messages or information to help prevent reading or viewing of EtherNet/IP data by unauthorized parties.

Table 3 describes how secure data transport enables a CIP-connected device to

help protect itself from malicious communication.
Table 3 - CIP Security Properties
Security Properties Description
FactoryTalk® Linx
Method of providing secure identity for a device. The

following methods can be used:
• Certificates (recommended)
• Pre-shared keys Threat actor can’t
Device Identity and Together, these properties help the device take the connect to the
Authentication following actions: CIP-connected device.
• Reject messages that are sent by untrusted devices.
• Help prevent unauthorized devices from
establishing connections. EtherNet/IP
LNK1 LNK2 NET OK

Logix5585
0000
SAFETY ON
RUN FORCE SD OK
TM
NET
LINK
DC INPUT
1756-EN4TR
FactoryTalk Linx
Method of providing data integrity and message

authentication to EtherNet/IP network communication.
Data Integrity and Lets the device take the following actions: Attacker can see the data
Authentication • Reject data that has been altered. but can’t change the data.
• Help prevent tampering or modification of
communication.
DC INPUT
SAFETY ON
NET
0000 LINK
LNK1 LNK2 NET OK

RUN FORCE SD OK
1756-EN4TR
FactoryTalk Linx
Means of using encryption to encode messages or

information that is exchanged across an EtherNet/IP
network.
Lets the device take the following actions:
• Help prevent viewing of EtherNet/IP data by
Data Confidentiality unauthorized parties. Attacker cannot see the
• Help prevent snooping or data disclosure. data.
IMPORTANT: This security property is optional. Some
IACS network communication do not need to be secure;
data integrity and authentication is typically the goal.
Encryption typically affects network adapter capacity.
DC INPUT
SAFETY ON
NET
0000 LINK
LNK1 LNK2 NET OK

RUN FORCE SD OK
1756-EN4TR

Chapter 2
CIP Security-capable Rockwell

Automation Products
This section describes the components and concepts that are part of the
Rockwell Automation method of implementing CIP Security™ in an IACS.
For information on the tasks that are required to use CIP™ Security-capable
products in an IACS, see the following table:
• Chapter 3, CIP Security Implementation Process on page 43
• Chapter 4, CIP Security Implementation Example Architecture on
page 79
• Publications listed in Additional Resources on page 8
Software and Hardware The list of CIP Security-capable Rockwell Automation® products includes
software and hardware products, for example, FactoryTalk® Policy Manager
software and ControlLogix® 5580 controllers, respectively, to define the
security policy.
CIP Security Software Applications
IMPORTANT You download software at the Rockwell Automation Product Compatibility and Download Center (PCDC).
To visit the PCDC, go to: https://compatibility.rockwellautomation.com/Pages/home.aspx
• FactoryTalk Policy Manager, version 6.11, and FactoryTalk System Services, version 6.11, are components of FactoryTalk
Services Platform, version 6.11.
When you install FactoryTalk Services Platform, version 6.11, you must select Customize from the installation wizard and
check the boxes for installation of FactoryTalk Policy Manager and FactoryTalk System Services components.
For more information, see the FactoryTalk Policy Manager Getting Results Guide, publication FTALK-GR001.
• FactoryTalk Policy Manager, version 6.20 or later, is an independent installation package. FactoryTalk System Services,
version 6.20 or later, is part of the FactoryTalk Policy Manager installation.
FactoryTalk Services Platform, version 6.20 or later, do not include FactoryTalk Policy Manager or FactoryTalk System
Services.
• Before you migrate from version 6.11 to version 6.20 or later, we recommend that you see the following Rockwell Automation
Knowledgebase articles that are available at https://rockwellautomation.custhelp.com/app/home:
– Backup and restore CIP Security models of FactoryTalk Policy Manager and FactoryTalk System Services, click here.
– Fail to migrate existing FactoryTalk System Service data with CIP Security policy models, click here.
– FactoryTalk Policy Manager download and install, click here.
Some hardware devices required later minimum firmware revisions. We recommend that you use the latest version of
FactoryTalk Policy Manager.

Chapter 2 CIP Security-capable Rockwell Automation Products
Table 4 - CIP Security Software

Software Application Description Minimum Version Required
FactoryTalk Policy Manager is a secure software application that you use to configure, deploy, and
view the system communication security policies.
The security policies are divided into different components, that is, devices, zones, and conduits.
You use these components to design security models that control the permissions and usage of
FactoryTalk Policy Manager devices within the system. For more information, on security models and how components are Version 6.11
used to design the models, see page 22.
The security policies are distributed to the devices at once. You aren’t required to make changes
at the device level and face the risk of human error that results in inconsistent configuration
among the devices.
FactoryTalk System Services is a secure EtherNet/IP™ client that runs in the background to deploy
the security policies that are configured in FactoryTalk Policy Manager. You do not take action in
the client.
FactoryTalk System Services provides the following in the FactoryTalk Directory to enforce
security policies that are based on the ODVA CIP Security standard:
• Identity/Authentication Service - Authenticates users and validates user resource requests.
Validate user credentials against the FactoryTalk Directory and FactoryTalk Security policy
FactoryTalk System Services settings to obtain privileges associated with the user. Version 6.11
• Certificate Service - Issues and manages certificates for devices in the FactoryTalk Policy
Manager model.
• Deployment Service - Translates the security policy to CIP™ configurations that are delivered to
endpoints.
• Policy Service - Build and manages CIP network trust models and defines security policy for the
CIP endpoints.
• Diagnostic Service - Makes FactoryTalk audit and diagnostic logs available as a web service.
FactoryTalk Linx is a secure EtherNet/IP client that initiates connections over a secure EtherNet/IP
network with CIP Security-enabled devices.
FactoryTalk Linx This server and communication service that lets devices communicate with the FactoryTalk Version 6.11
software portfolio and Studio 5000 Logix Designer® application.
IMPORTANT: You can’t use RSLinx® Classic software to implement CIP Security in an IACS.
Determined by what Logix 5000 controller
is in the system and how it is used.
For example, to use a ControlLogix 5580
Logix Designer application is a comprehensive programming software that you use with controller’s Ethernet port to connect to the
Logix 5000™ controllers. system, you must use software version
IMPORTANT: Logix Designer application isn’t required to implement CIP Security. 32.00.00 or later.
Studio 5000 Logix Designer However, Logix Designer application functions as CIP Security-capable software because it IMPORTANT: There are some
supports the CIP protocol and uses FactoryTalk Linx software to communicate with other devices configurations in which you can use
via the CIP protocol. earlier software versions to connect a
controller to the IACS. For more
information, see Appendix A, CIP Security
Compatibility on page 107.

CIP Security-capable Hardware Devices

The following hardware devices are CIP Security-capable.
IMPORTANT • The minimum firmware revisions that are listed for Logix 5000 controllers in Table 5 represent the first firmware revision at
which you can connect the controller to an IACS with CIP Security implemented via a secure connection to the controller
Ethernet port.
There are some configurations in which you can use earlier firmware revisions to connect the controller to an IACS with CIP
Security implemented. For more information, see Appendix A, CIP Security Compatibility on page 107.
• The table represents products that are CIP Security-capable at the time of this publication.
Over time, new products will be released that are CIP Security-capable. New versions of existing products that aren’t CIP
Security-capable will be released in the future to make them CIP Security-capable.
To see if a product is CIP Security-capable, see the product documentation.
Table 5 - CIP Security Hardware

Minimum Firmware
Hardware Product Description Revision Required
Armor PowerFlex 35E and 35S drives provide high-performance variable frequency motor control 1...10 Hp
in an On-Machine™ package. Armor PowerFlex drives have built-in dual Ethernet ports that let you connect
Armor™ PowerFlex® Drives the drives directly to EtherNet/IP networks. You configure the drive with Logix Designer application. CIP 10.001
Security requires use of the built-in Dual EtherNet/IP ports that are provided on the Armor
PowerFlex drives.
CompactLogix 5380 controllers use a common Logix control engine and common development
environment to control small to large control systems.
The controllers communicate with, and can control, local and remote devices. Dual built-in Ethernet ports
let the controllers connect to various EtherNet/IP network topologies, including a Device Level Ring (DLR)
CompactLogix™ 5380 network. 34.011
Controllers You use the Logix Designer application to configure CompactLogix 5380 controllers. The Logix Designer
application version must be compatible with the firmware revision on the controllers.
IMPORTANT: You do not use the Logix Designer application to define the security policy. You use
FactoryTalk Policy Manager to define the security policy.
CompactLogix 5380 Process controllers use a common Logix control engine and common development
environment to control small to large distributed control systems. The process controller focuses on
plantwide process control.
CompactLogix 5380 let the controllers connect to various EtherNet/IP network topologies, including a Device Level Ring (DLR) 34.011
Process Controllers network.
You use the Logix Designer application to configure CompactLogix 5380 Process controllers. The Logix
Designer application version must be compatible with the firmware revision on the controllers.
Compact GuardLogix 5380 controllers use a common Logix control engine and common development
environment to control small to large control systems.
let the controllers connect to various EtherNet/IP network topologies, including a Device Level Ring (DLR)
Compact GuardLogix® 5380 network. These safety controllers achieve up to SIL 2/PLd with 1oo1 architecture or up to SIL 3/PLe with 34.011
Controllers 1oo2 architecture.
You use the Logix Designer application to configure Compact GuardLogix 5380 controllers. The Logix
ControlLogix 5580 controllers use a common Logix control engine and common development environment
to control large control systems.
The controllers communicate with, and can control, local and remote devices. For example, the devices
can be I/O modules, network communication modules, drives, and operator interfaces.
You use the Logix Designer application to configure ControlLogix 5580 controllers. The Logix Designer
ControlLogix 5580 Controllers application version must be compatible with the firmware revision on the controllers. 32.011
IMPORTANT:
• The description of these controllers applies to ControlLogix 5580 standard and XT controllers. However,
XT controllers can be used in environments with temperatures.
• You do not use the Logix Designer application to define the security policy. You use FactoryTalk Policy
Manager to define the security policy.

Table 5 - CIP Security Hardware

Minimum Firmware
Hardware Product Description Revision Required
ControlLogix 5580 Process controllers use a common Logix control engine and common development
environment to control large distributed control systems. The process controller focuses on plantwide
process control.
The controllers communicate with, and can control, local and remote devices. For example, the devices
ControlLogix 5580 can be I/O modules, network communication modules, drives, and operator interfaces. 32.011
Process Controllers You use the Logix Designer application to configure ControlLogix 5580 Process controllers. The Logix
The 1756-EN4TR communication module performs the following functions:
1756-EN4TR ControlLogix
EtherNet/IP Communication • Facilitate high-speed data transfer between ControlLogix 5580 and GuardLogix 5580 controllers and Any
devices on an EtherNet/IP network.
Module
• Connect Logix 5000 control systems to multiple EtherNet/IP network topologies.
GuardLogix 5580 controllers use a common Logix control engine and common development environment
to control large control systems.
The controllers communicate with, and can control, local and remote devices. Operating as safety
GuardLogix 5580 Controllers controllers, they provide SIL2/PLd and SIL3/PLe safety solutions.
You use the Logix Designer application to configure GuardLogix 5580 controllers. The Logix Designer 34.011
application version must be compatible with the firmware revision on the controllers.
Kinetix 5300 drives are entry level Integrated Motion on EtherNet/IP servo drives that are designed for
Kinetix® 5300 Drives 13.003
small to medium machines for various motion control applications.
Kinetix 5700 drives are single and dual-axis inverters that you can use to expand the use of Integrated
Motion on EtherNet/IP to large, custom machines with high axis counts and power requirements.
Kinetix 5700 Drives 11.001
The drives have built-in dual Ethernet ports that let you connect the drives directly to EtherNet/IP
networks.
PowerFlex 755T drives, bus supplies, and common bus inverters provide common bus, regenerative, and
high-performance variable frequency motor control 10...6000 Hp.
PowerFlex 755T Drives PowerFlex 755T drives have built-in dual Ethernet ports that let you connect the drives directly to EtherNet/ 10.001
IP networks. CIP Security requires use of the built-in Dual EtherNet/IP ports that are provided on PowerFlex
755T Main Control Boards. This feature isn’t compatible with network option cards.
The PowerFlex 755TS drives are scalable, next generation PowerFlex drives that are designed to meet your
application needs. TotalFORCE® can now be used in a wider range of applications. This includes traditional
PowerFlex 755TS Drives 11.001
fan, pump, and conveyor applications, and more advanced motor control processes that require high-
performance features that are typically found in specialized drive solutions.
1783-CSP CIP Security Proxy The 1783-CSP Proxy is a standalone device that lets you connect a device that is not CIP™ Security-capable, Any
also known as the proxied device, to an IACS that has CIP Security enabled.
Use Non-CIP Security-capable Controllers with CIP Security

You can use some non-CIP Security-capable Logix controllers that aren’t listed
in Table 5 in IACS with CIP Security.
For more information on how to do so, see Appendix A, CIP Security

Compatibility on page 107.

Benefits of Using Rockwell Implementing CIP Security with Rockwell Automation products has the
Automation Products following benefits:
• Centralized System Management - Use FactoryTalk Policy Manager
software to easily create and deploy security policies to many devices at
once.
• Micro-segmentation - Segment the automation application into smaller
cell/zones, thus, reducing the attack surface.
• HTTP ports - You can enable or disable unsecure (HTTP) ports/protocols
of devices in a system with CIP Security configured.
• Legacy system support - The following options are available to use for
products that aren’t CIP Security-capable in a specific unsecured
communication network that deploys the CIP Security feature:
- Use the 1783-CSP CIP Security Proxy to connect a device that is not CIP
Security-capable to an IACS that has CIP Security™ enabled.
- Retrofit ControlLogix 5570-based systems with a 1756-EN4TR
communication module.
- AllowedList - Authorize specific communication based on IP address.
In FactoryTalk Policy Manager, the Authentication Method property for a conduit
uses the term Trusted IP to represent AllowedList.
IMPORTANT Make sure that you are aware of the limitations of allowed as a security
measure before its use.

CIP Security Properties CIP Security is comprised of a security profile, attributes, and components.
These key mechanisms facilitate the security requirements for the resource
that you are trying to protect.
Security Profile and Attributes

CIP Security defines the concept of a security profile. A security profile is a set
of well-defined capabilities to facilitate device interoperability and end-user
selection of devices with the appropriate security capability. A security profile
describes what security features a given device supports. The device enforces
the security policy based on its security profile.
Understanding that security is a balance and not every CIP-connected device
requires the same level of security, FactoryTalk Policy Manager lets
administrators enable only the desired attributes when they create a security
profile.
The Device Identity/Authentication attribute must be enabled before the

options for enabling Data Integrity and Data Confidentiality can occur.
Rockwell Automation CIP Security-capable products support the following

security attributes:
Property Description
Certificate base on the X.509 v3 standard is used to provide identity.
Device Identity and Pre-shared keys are shared secrets that are shared among trusted entities that are used
Authentication to provide identity.
The TLS protocol facilitates mutual authentication to create trusted endpoints.
Keyed-Hash Message Authentication Code (HMAC) is used as a cryptographic method of
Data Integrity providing data integrity and message authenticity to EtherNet/IP traffic.
Data encryption is used to encode messages or information to help prevent reading or
Data Confidentiality viewing of EtherNet/IP data by unauthorized parties.
IMPORTANT The rest of this section describes each component and, for zones and
conduits, steps to create and configure them. However, the descriptions
aren’t exhaustive.
For more detailed information on security models, including the tasks that
you must complete to configure them, see the FactoryTalk Policy Manager
Getting Results Guide, publication FTALK-GR001.
The following table describes icons that are used in this publication.
Symbol Definition
Represents a CIP Security connection to a device.
Represents a trusted, but not secure, connection to a device.

CIP Security Components

FactoryTalk Policy Manager divides the system security policies into different
components. The following components are used to design security models:
• Devices
• Zones
• Conduits
Devices
Devices are the modules, drives, controllers, HMI panels, computers, and
servers that work together to create an IACS network. You add devices that
share security requirements for a particular function to the same zone.
Considerations with devices in the security model when you use devices in an
IACS network:
• The lists of current CIP Security-capable Rockwell Automation products
are on page 17 and page 19.
More CIP Security-capable Rockwell Automation products are
in development.
• Just because a device is CIP Security-capable, you aren’t required to
enable CIP Security on that device in an IACS network.
• You can use non-CIP Security-capable devices in an IACS that includes
CIP Security-enabled devices.

Zones
Zones are groups to which devices are added. Zones establish the rules for data
integrity, data privacy, and the authentication method that is used to
authenticate trusted devices.
• You can have multiple zones in a system and set security policy on a
zone-by-zone basis. By using zones, you simplify management of large
sets of devices in a system.
• Zones can include devices that are CIP Security-capable and devices that
aren’t. There can be multiple zones in an IACS network, but a device can
only belong to one zone.
• Once a CIP Security-capable device is added to a zone, the device uses the
policy settings of that zone.
Communication between devices in the same zone is implied and
mutually trusted. Therefore, you do not have to create conduits between
devices in the same zone.
Figure 3 shows a zone that includes devices that are CIP Security-capable, for
example, a ControlLogix 5580 controller, and devices that aren’t, for example, a
PanelView™ Plus terminal.
Figure 3 - Security Model - Zones
jpvasko
MOD MOD MOD MOD MOD

NET NET NET NET NET
2 2 2 2 2
1 1 1 1 1
1 I/O I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B

1 6 1 6 1 6 1 6 1 6 1 6 1 6
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10
UFB UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
MF-A MF-B MF-A MF-B MF-A MF-B
-
MBRK
+
Zone
DC INPUT
OK
LINK 1
F1 F9 LINK 2
DEVICE
PORT
F2 F10
F3 F11
F4 F12
F5 F13
F6 F14
F7 F15
F8 F16
1783-CSP
1 2
(rear) (front)

Conduits
Conduits create trusted communication pathways outside of zones. You must

have at least two endpoints, that is, zones or devices, to create a conduit.
Conduits facilitate secure communication in the following ways:

• Zone to zone
• Device to device
• Device to zone
Conduits let you configure trust beyond individual zones using the
following methods:
• Trusted IP authentication method - Assigns a trust relationship to an
asset based on its IP address. Also known as AllowedList.
• Certificate authentication method - Establishes the identity of the device
by using a certificate from a trusted authority.
IMPORTANT Currently, a device can’t use multiple pre-shared keys.

If you require communication between a zone that is configured with a pre-
shared key and other zones, you must configure a conduit that uses the
Trusted IP authentication method to the other zones.
Figure 4 shows conduits in a system with multiple zones.

Figure 4 - Security Model - Conduits
PC Zone
Conduit 1
Conduit 2
Zone 1 Zone 2
MOD MOD MOD MOD MOD MOD MOD MOD MOD MOD
NET NET NET NET NET NET NET NET NET NET
2 2 2 2 2 2 2 2 2 2
1 1 1 1 1 1 1 1 1 1
1 I/O I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B 1 I/O I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B
1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
4 4
I/O I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
UFB UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B UFB UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
MF-A MF-B MF-A MF-B MF-A MF-B MF-A MF-B MF-A MF-B MF-A MF-B
- -
MBRK MBRK
+ +
DC INPUT DC INPUT
OK OK
LINK 1 LINK 1
LINK 2 LINK 2
DEVICE DEVICE
PORT PORT
1783-CSP 1783-CSP
1 2 1 2
(rear) (front) (rear) (front)

Security Model The security model is a fully configured instance of zones, devices, and
conduits, along with their respective CIP Security properties, in FactoryTalk
Policy Manager software. The zones and conduits structure the security model.
The security model is deployed to the devices in the IACS via security profiles
for individual devices.
If multiple devices use the same security policies and are in the same zone, we recommend that you configure the security policies at
the zone level.
The advantage to configuring security policies at the zone level is that you can configure the policies once and apply them to multiple
devices. This method avoids the possibility of differences in security policies across devices that should use the same policies.
Zone Properties
Table 6 lists the configurable fields that are available when you configure zone
properties.
Table 6 - Zone Security Properties
Property Available Choices Example FactoryTalk Policy Manager Screen
Name User configurable
Description User configurable
• Enable
Enable/Disable CIP Security
• Disable
• Certificate
Authentication Method
• Pre-Shared Key
• None
I/O Data Security • Integrity Only
• Integrity + Confidentiality
• Integrity Only
Messaging Security
• Enable
Disable Ports - HTTP (80)
• Disable
IMPORTANT For more information on the Zone Properties, see the FactoryTalk Policy Manager Getting Results Guide, publication
FTALK-GR001.

Conduit Properties
Table 7 lists the configurable fields that are available when you configure
conduit security policy.
Table 7 - Conduit Security Properties
Property Available Choices Example FactoryTalk Policy Manager Screen
Name User configurable
Description User configurable
Connection
Can be any of the following based on how you
assign each Endpoint: • Endpoint 1 (Device or Zone)
• Device-to-Device • Endpoint 2 (Device or Zone)
• Device-to-Zone
• Zone-to-Zone
• Trusted IP
Authentication Method
• Certificate
• None
I/O Data Security • Integrity Only
• Integrity Only
Messaging Security
IMPORTANT For more information on the Conduit Properties, see the FactoryTalk Policy Manager Getting Results Guide, publication
FTALK-GR001.

Limitations and The following are limitations and considerations of the solution from
Considerations Rockwell Automation to implement CIP Security in an IACS:
• Devices That Support DLR/Linear and Dual-IP EtherNet/IP Modes
• Initial Security Model Deployment Fails If ControlLogix 5580 Controller
is in Run Mode
• Cannot Download to ControlLogix 5580 Controller from Unsecure
Workstation
• Workstation Cannot Download to a Secured ControlLogix 5580
Controller if Security Policies Do Not Match
• Network Address Translation
• Policy Provisioning
• CIP Bridging Control
• Use of I/O Connections in Redundancy Configuration
• RSLinx Classic Software
• Disable CIP Security
Devices That Support DLR/Linear and Dual-IP EtherNet/IP Modes

Most CIP Security-capable devices with built-in dual Ethernet ports use one IP
address for both ports and you can secure connections on both ports, for
example, in a Device Level Ring network.
CIP Security-capable devices with built-in dual Ethernet ports, that is,
CompactLogix 5380 and Compact GuardLogix 5380 controllers, support the
following EtherNet/IP modes. The modes determine how the controllers
connect to EtherNet/IP networks and how they operate on them.
• Linear/DLR
• Dual-IP
Linear/DLR
In DLR/Linear mode, the device uses one IP address for both Ethernet ports
and you can secure communication on both ports.

Dual-IP Mode
In Dual-IP mode, Ethernet ports A1 and A2, respectively, can connect to

separate EtherNet/IP networks. In this mode, each port requires its own
network configuration.
Port A1 can connect to enterprise-level networks and device-level networks.

Port A2 can only connect to device-level networks. shows example applications
in which CompactLogix 5380 controllers use Dual-IP mode.
Figure 5 - Dual-IP Mode Examples
Port A1 Connected to a
Plant-wide Operations System Device-level Network
Port A2 Connected to a Device-level Network
MOD MOD MOD MOD
Port 2 Connected to a
NET NET NET NET
2 2 2 2
1 1 1 1
1 I/O I/O-A I/O-B I/O-A I/O-B

1 6 1 6 1 6 1 6 1 6
Device-level Network
4
I/O
5 10 5 10 5 10 5 10 5 10
UFB UFB-A UFB-B UFB-A UFB-B
D+ D+ D+ D+
D- D- D- D-
MF-A MF-B MF-A MF-B
-
MBRK
+
Port A1
Connected to
an Enterprise-
level Network
When you use Dual-IP mode, you can only secure the connection on one
Ethernet port for CIP Security.
IMPORTANT You must install FactoryTalk Policy Manager and FactoryTalk System
Services software on the same server as the FactoryTalk Directory.
So the network to which the secured port is connected must also have the
server with this software that is connected to it.
Because CIP Security does not support configuring separate security
policies for the different Ethernet ports on the same device, you can only
deploy a security model to one of the networks to which the controller is
connected.
For example, if you secure the port A1 connection to an enterprise-level
network, you can’t deploy a security model to the network to which port A2
is connected.
For more information on Dual-IP mode, see the CompactLogix 5380 and
Compact GuardLogix 5380 Controllers User Manual, publication 5069-UM001.
Initial Security Model Deployment Fails If ControlLogix 5580 Controller

is in Run Mode
If a ControlLogix 5580 controller is in Run mode, that is, the keyswitch is in the
RUN position, the first time that you attempt to deploy the security model in
FactoryTalk Policy Manager software, the deployment fails. The initial security
model deployment is successful if the controller is in Remote Run, Remote
Program, or Program mode.
IMPORTANT This designed limitation protects the controller from a DoS attack by an
attacker.
The asset owner is the only party with physical access to the controller.
Confirm that the controller mode is Remote Run, Remote Program or
Program so the initial security deployment is successful. If desired, you can
change the controller to Run mode after the initial deployment and future
security model deployments are successful.
After a ControlLogix 5580 controller has a security profile, the controller mode
does not affect future security model deployments.
Cannot Download to ControlLogix 5580 Controller from Unsecure

Workstation
This limitation is only present in the following conditions:
• FactoryTalk Policy Manager, version 6.11
• FactoryTalk System Services, version 6.11
• Logix Designer application, version 32
• ControlLogix 5580 controller, firmware revision 32.xxx
To avoid this limitation, upgrade the software and controller firmware that is listed
above to the next major versions and revision, respectively.
After you enable CIP Security in the ControlLogix 5580 controller, you can’t
download a Logix Designer application project to the controller once it has
been removed from the zone without first resetting the controller to its factory
default settings.
Unsecured Workstation
Studio 5000 Logix Designer, version 32
Cannot download because the security policy hasn’t

been cleared via FactoryTalk Policy Manager.
DC INPUT
MOD MOD MOD MOD MOD

NET NET NET NET NET
ControlLogix 5580 controller, 2
4
I/O
2
1
I/O
6
2
1
I/O-A
6 1
I/O-B
6
2
1
I/O-A
6 1
I/O-B
6
2
1
I/O-A
6 1
I/O-B
6
firmware revision 32.xxx

5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
-
MBRK
+
Zone
F1 F9
F2 F10
F3 F11
F4 F12
F5 F13
F6 F14
F7 F15
F8 F16

Workstation Cannot Download to a Secured ControlLogix 5580

Controller if Security Policies Do Not Match
A workstation running Logix Designer application can’t download a project to
Logix 5000 controller, if the project has a different security configuration than
the Logix 5000 controller.
IMPORTANT Consider the following:

• This designed limitation enforces a high security standard to protect the
controller because the controller is the most valuable asset in the IACS.
• The limitation only occurs when the workstation and the Logix 5000
controller reside in different zones.
• In this situation, the controller must connect directly to the EtherNet/IP
network
The following example uses a ControlLogix 5580 controller. The following
conditions exist:
• The workstation is configured for permitted communication, that is,
Authentication Method = Trusted IP.
• The ControlLogix 5580 controller is configured for secure
communication, that is, Authentication Method = Certificate or
Authentication Method = Pre-shared Key (PSK).
PC Zone
Workstation configured for

permitted communication.
DC INPUT
MOD MOD MOD MOD MOD
ControlLogix 5580 controller

NET NET NET NET NET
2 2 2 2 2
1 1 1 1 1
I/O
configured for secure communication.

1 I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B
1 6 1 6 1 6 1 6 1 6 1 6 1 6
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
-
MBRK
+
Zone 1
F1 F9
F2 F10
F3 F11
F4 F12
F5 F13
F6 F14
F7 F15
F8 F16

To avoid this limitation, update the workstation and controller security

profiles to use Authentication Method = Certificate.
PC Zone
Workstation configured for

secure communication.
DC INPUT
MOD MOD MOD MOD MOD
ControlLogix 5580 controller

NET NET NET NET NET
2 2 2 2 2
1 1 1 1 1
configured for secure communication.

1 6 1 6 1 6 1 6 1 6 1 6 1 6
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
-
MBRK
+
Zone 1
F1 F9
F2 F10
F3 F11
F4 F12
F5 F13
F6 F14
F7 F15
F8 F16
Secure the Programming Connection to Redundant

ControlLogix 5580 Controllers
You can secure connections between a workstation that is running a Logix
Designer application and a ControlLogix 5580 controller redundant pair
without the need of a 1783-CSP Proxy. The secure connection supports class 3
communications, for example, program upload or download and to monitor
diagnostics.
You must use the following components:
• ControlLogix 5580 controller, firmware revision 34.011 or later
• Two 1756-EN4TR communication modules, firmware revision 4.001 or
later, one in each chassis
IMPORTANT The 1756-EN4TR communication modules must be configured not to

use IP address swapping.
• Two 1756-EN2 or 1756-EN communication modules, one in each chassis,
that connect to the I/O devices

Figure 6 on page 33 shows an application in which a workstation that is

running the Logix Designer application and FactoryTalk Linx software is
connected to a ControlLogix 5580 controller redundant pair.
Figure 6 - ControlLogix 5580 Controllers - Redundant Chassis Connected to I/O Network Devices
Workstation with Logix

Designer application and
FactoryTalk Linx software
Secure Enclosure
Stratix 5400 Switch
IMPORTANT: Primary ControlLogix chassis Secondary ControlLogix chassis

• The 1756-EN4TR communication
modules in slot 1 of the redundant
chassis pair must be configured to CH2 CH1 OK CH2 CH1 OK
not use IP address swapping.
1756-EN4TR
1756-EN4TR
1756-L85E
1756-L85E
• The 1756-EN2TR communication

modules in slot 2 of the redundant
chassis pair must be configured to
use IP address swapping.
• This example shows the controller
redundant pair connected to a
DLR ring. You can also use a PRP
architecture.
I/O devices
X100
FLEX 5000 I/O FLEX 5000 I/O
TM TM
POWER STATUS POWER STATUS
FLEX 5000 I/O
TM
EtherNet/IP™ Adapter
X10 STATUS
NET
LINK 1 5094-IB16 DIGITAL

DIGI AL 16 INPUT 24 VDC 1 1 TB3 5094-OB16 DIGITAL
DIGI AL 16 OUTPUT 24 VDC 1 2 TB3
X1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
IP ADDRESS LINK 2
5094-AENTR
POWER
PRP
DLR
X100
TM TM
FLEX 5000 I/O
TM
X10 STATUS
NET
LINK 1 5094-IB16 DIGITAL

DIGI AL 16 INPUT 24 VDC 1 1 TB3 5094-OB16 DIGITAL
DIGI AL 16 OUTPUT 24 VDC 1 2 TB3
X1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
IP ADDRESS LINK 2
5094-AENTR
POWER
PRP
DLR

Secure the Programming Connection to the CompactLogix 5380

Controllers
You can secure connections between a workstation that is running a Logix
Designer application and a CompactLogix™ 5370 or CompactLogix 5380
controller without the need of a 1783-CSP Proxy. The secure connection
supports class 3 communications, for example, program upload or download
and to monitor diagnostics.
The CompactLogix 5380 controllers must use firmware revision 34.011 or later.
There is no need for the 1783-CSP Proxy because you can connect the
workstation to an Ethernet port on the controller.
Figure 7 shows an application in which the workstation that is running the

Logix Designer application and FactoryTalk Linx software is connected to a
CompactLogix 5370 controller via a 1783-CSP Proxy. The controller is operating
in Linear/DLR EtherNet/IP mode.
IMPORTANT This example shows the controller that is connected to a DLR ring via a
1783-ETAP tap. The controller can be connected to any valid I/O
architecture, for example, a Linear topology that does not include a 1783-
ETAP tap, and the concepts that are described in this section still apply.
Figure 7 - CIP Security with CompactLogix 5380 Controllers Connected to the I/O Network
CompactLogix 5380
Workstation with Logix
controller
Designer application and
FactoryTalk Linx software
1783-ETAP X100
FLEX 5000 I/O
TM
FLEX 5000 I/O
TM
POWER STATUS FLEX 5000 I/O
TM
POWER STATUS
Tap
X10 STATUS
NET
LINK 1 5094-IB16 DIGITAL 16 INPUT 24 VDC 1 1 TB3 5094-OB16 DIGITAL 16 OUTPUT 24 VDC 1 2 TB3
Secure Enclosure
X1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
IP ADDRESS LINK 2
5094-AENTR
POWER
PRP
DLR
Network Address Translation

Network Address Translation (NAT) is supported with CIP Security only if the
computer/server with FactoryTalk Policy Manager can access the CIP Security
endpoint via an IP address. That is, the devices behind the NAT have IP
addresses that are accessible from devices on the outside.

In this example, the 1756-EN4TR in M1 Zone (Machine 1) can use CIP Security
because the Stratix® 5700 switch performing the NAT contains a NAT
translation for the 1756-EN4TR and a Gateway Translation. When NAT with
routing is configured correctly in a network, the outside computer/server with
FactoryTalk Policy Manager can access the CIP Security endpoint via the
Outside translated IP address that is configured in the Stratix 5700 switch.
It’s important that NAT is properly configured before you apply any CIP
Security implementation. For more information, see Deploying Network
Address Translation within a CPwE Architecture Design and Implementation
Guide, publication ENET-TD007.
VLAN ID - Description IP Address

10 - M1 Zone 10.10.10.1
Routing Table 20 - M2 Zone 10.10.20.1 VLAN 40
30 - Main Zone 10.10.30.1
40 - PC Zone 10.10.40.1 PC Zone
10.10.40.100 FactoryTalk Policy Manager Outside
FactoryTalk System Services
FactoryTalk Linx
VLAN 30
Layer 3 10.10.40.200
MAIN Zone Switch
Outside FactoryTalk Linx
Studio 5000®
Line Controller
10.10.30.15
VLAN 10 VLAN 20
M1 Zone M2 Zone
Inside Inside IES
IES
192.168.1.x/24 192.168.1.x/24 Stratix 5700
Stratix 5700
NAT
NAT
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
.10 .10
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16
.16 .16
.11 - .13 .11 - .13
.14 - .15
.14 - .15
Machine 1 Machine 2
Device Inside Outside Device Inside Outside

Inside to Outside NAT Inside to Outside NAT
M1 1756-EN4TR 192.168.1.10 10.10.10.10 M2 1756-EN4TR 192.168.1.10 10.10.20.10
Table Table
Outside Inside Outside Inside
Gateway Transition Gateway Transition
10.10.10.1 192.168.1.1 10.10.20.1 192.168.1.1
(Outside) Device to (Inside) Device
Conduit Types (Inside) Device to (Inside) Device

(Outside) Device to (Inside) Device and (Outside) Zone to (Outside) Zone

Policy Provisioning
CIP Security protocol policies can only be deployed over an EtherNet/IP
network. A device must reside on the same physical Ethernet network as
FactoryTalk Policy Manager server or on a different network connected with a
router. Policy deployment over multiple different networks and platforms
using CIP Bridging is not supported.
For example, in Figure 8 on page 37, you can deploy CIP Security policies to
Kinetix 5700 Drives_1 and Kinetix 5700 Drives_2 because they are on the same
physical Ethernet network.
You can’t provision the policy to Kinetix 5700 Drives_3 because it is on a

different physical network. Even though CIP allows communication bridging
over multiple networks and backplanes, CIP Security is effective only on a
single (or multiple-routed) network(s) and FactoryTalk Policy Manager
software does deploy policies accordingly.
In order to provision CIP Security policies to devices connected to 1756-EN4TR

Bridge_2, like 5069-AENTR, 5094-AENTR and Kinetix 5700 Drives_3, you need
to have a second instance of FT Policy Manager connected directly on that
physical Ethernet network.
CIP Security is easier to deploy and manage in flat EtherNet/IP networks designed and
implemented according to Connected Plant-wide Ethernet principles. For more
information refer to Deploying CIP Security within a Converged Plantwide Ethernet
Architecture document.
For more information, see Deploying CIP Security within a Converged Plantwide
Ethernet Architecture, publication ENET-TD022.

Figure 8 - Policy Provisioning
1756-L85E 1756-EN4TR 1756-EN4TR
FactoryTalk Policy Manager

FactoryTalk Linx MOD
NET
MOD
NET
MOD
NET
MOD
NET
MOD
NET
2 2 2 2 2
1 1 1 1 1

1 6 1 6 1 6 1 6 1 6 1 6 1 6
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
-
MBRK
+
Stratix 5400 Kinetix 5700 Drives_2
1756-EN4TR 1756-EN4TR Bridge_2

MOD MOD MOD MOD MOD
NET NET NET NET NET
2 2 2 2 2
1 1 1 1 1

1 6 1 6 1 6 1 6 1 6 1 6 1 6
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10
FactoryTalk Linx PowerFlex 755TDrives_1

D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
Studio 5000 Logix Designer -

MBRK
+
Kinetix 5700 Drives_1
DC INPUT DC INPUT ANALOG INPUT ANALOG OUTPUT ANALOG OUTPUT
5069-IB16 5069-IB6F-3W 5069-IY4 5069-OF4 5069-OF8
5069-AENTR 5094-AENTR
X100
TM TM
FLEX 5000 I/O
TM
X10 STATUS
NET
LINK 1 5094-IB16 DIGITAL 16 INPUT 24 VDC 1 1 TB3 5094-OB16 DIGITAL 16 OUTPUT 24 VDC 1 2 TB3
Compact 5000™ I/O FLEX 5000™ I/O

X1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
IP ADDRESS LINK 2
5094-AENTR
POWER
PRP
DLR
Compact 5000™ I/O
MOD MOD MOD MOD

NET NET NET NET
1734-AENTR Kinetix 5700 Drives_3 2
1
2
1
2
1
2
1734 POINT I/O™

1 I/O I/O-A I/O-B I/O-A I/O-B
1 6 1 6 1 6 1 6 1 6
4
I/O
5 10 5 10 5 10 5 10 5 10
UFB UFB-A UFB-B UFB-A UFB-B
D+ D+ D+ D+
D- D- D- D-
MF-A MF-B MF-A MF-B
-
MBRK
+

CIP Bridging Control
IMPORTANT CIP Bridging Control is only available with FactoryTalk Policy Manager
software, version 6.30 and later.
CIP Security policies define which EtherNet/IP-enabled devices can

communicate securely with each other, for example, whether a ControlLogix
5580 controller can communicate with a 1756-EN4TR communication module.
CIP Bridging Control compliments those policies by doing the same thing at a
device and port levels.
The following device families support CIP Bridging Control:

• CompactLogix 5380 controllers, firmware revision 34.011 or later
• ControlLogix 5580 controllers, firmware revision 32.011 or later
• ControlLogix 1756 EN4TR EtherNet/IP communication modules, any
firmware revision
The following are the benefits of using CIP Bridging Control:

• Prevent someone from accessing a secured network from an unsecured
network via backplane, for example, via a 1756-EN2TR EtherNet/IP
communication module.
• Prevent someone from accessing a secured network from a USB port
either directly via a CIP Security-enabled device, for example,
ControlLogix 5580 controller, or indirectly via a non-CIP Security-
capable device, for example, a 1756-EN2TR EtherNet/IP communication
module over a backplane.
CIP Bridging Control Example
This example describes how you can use CIP Bridging Control to segregate
secure and unsecure communication.
It’s common for modern devices to be part of a larger platform connected via a
backplane. Some of them, for example, ControlLogix systems, let you combine
many communication modules for network-to-network connectivity.
With the introduction of CIP Security, many existing control system owners
are challenged by the requirement to define an adoption strategy that becomes
a multi-step process that secures only certain parts of IACS in each step. This
scenario can create a back door to secure networks. Controlling CIP bridging
can help to close that back door.

In Figure 9 on page 40, there are two parts to the application:

• The ControlLogix chassis is configured to segment EtherNet/IP network
traffic so that each of the three 1756-EN2TR EtherNet/IP communication
modules connect to a different physical Ethernet network.
In this case, CIP communication can occur using CIP bridging between
the two I/O networks or between an I/O network and the
HMI/supervisory network.
• In the second diagram, CIP Security is implemented so that you can
make a secure connection to the ControlLogix 5580 controller from
either workstation and prevent access to the secured network via the
other EtheNet/IP communication modules in the chassis.
To implement CIP Security, you complete the following steps.
a. You replace the 1756-EN2TR EtherNet/IP communication module in
slot 1 with a 1756-EN4TR EtherNet/IP communication module.
b. In FactoryTalk Policy Manager software, you update, and deploy, the
security model so that the connection to the 1756-EN4TR EtherNet/IP
communication module is secured.
c. In FactoryTalk Policy Manager software, you use CIP Bridging Control
on the 1756-EN4TR EtherNet/IP communication to prevent
communication to and from the 1756-EN4TR EtherNet/IP
communication module and either of the 1756-EN2TR EtherNet/IP
communication modules.
By doing so, no device on the networks that is connected to the
1756-EN2TR EtherNet/IP communication modules can access the
secured network.

Figure 9 - CIP Bridging Control Example

Initial Application Set-up
Studio 5000 Logix Designer® FactoryTalk Policy Manager

FactoryTalk View FactoryTalk System Services
FactoryTalk Linx
HMI/Supervisory Network
1756-L85E controller
1756-EN2TR modules
EtherNet/IP I/O Network EtherNet/IP I/O Network
Updated Application Set-up with CIP

Security Implemented
HMI/Supervisory Network
1. Replace the 1756-EN2TR in slot 1 with a 1756-EN4TR.
2. Update and deploy the security model to secure connection

to the ControlLogx 5580 controller.
1756-L85E controller
1756-EN4TR module 3. Configure CIP Bridging Control on the 1756-EN4TR to disallow
1756-EN2TR modules communication to and from the 1756-EN2TR modules.
EtherNet/IP I/O Network EtherNet/IP I/O Network
Implementing CIP Bridging Control
For information on how to implement CIP Bridging Control, see the

FactoryTalk Policy Manager Getting Results Guide, publication FTALK-GR001.

Use of I/O Connections in Redundancy Configuration

Currently, you can’t establish secure connections with I/O devices in a
ControlLogix Redundancy system.
However, you can establish CIP Security Class 3 connections to a 1756-EN4TR

communication module in a redundant configuration to secure HMI
connections or Studio 5000 Logix Designer connections.
For information on how to secure programming connections to ControlLogix

Redundancy systems, see the CIP Security Proxy User Manual, publication
1783-UM013.
Automatic Device Configuration (ADC)

ADC is a feature in Logix Designer application supports the automatic
download of configuration data once a Logix 5000 controller establishes a
connection to a drive and its associated peripherals.
After device configuration is downloaded, you must add the drive to the
security model and deploy the policy to establish secure connections with the
drive.
This applies whether the drive is CIP Security-capable and connected directly
to the network or non-CIP Security-cable and connected via a 1783-CSP CIP
Security Proxy.
Disable CIP Security

You can use FactoryTalk Linx software, version 6.30.00 or later, to disable CIP
Security on a device. Complete the following steps.
1. Go to the Advanced Settings dialog box.
2. On the General tab, the check the Enable Device Configuration
check box.
3. Confirm that the Enable Device Configuration checkbox is enable and
click OK.

4. From the Device Configuration menu, complete the following steps.

a. Click the CIP Security tab.
b. Check the Disable CIP Security (Port 2221) checkbox.
c. Click Refresh.
Add Legacy Devices to the Security Model

You can add legacy devices to the security model and use Trusted IP to
communicate with other devices in IACS.
However, because such a configuration can result in an unauthorized device,

for example, a hijacked device, or a spoofed IP address, we recommend that
you do not connect legacy devices to the IACS.
We recommend that you consider adding legacy devices to security model only
if they are intended to initiate connections with secured devices and you
accept the associated risk.
RSLinx Classic Software

You can’t use RSLinx® Classic software to implement CIP Security in an IACS
network. You must use FactoryTalk Linx, version 6.11 or later.

Chapter 3
CIP Security Implementation Process
This section describes the overall process of implementing CIP Security™ with
Rockwell Automation® products in a simple IACS.
For information on a more complex IACS, see Chapter 4, CIP Security

Implementation Example Architecture on page 79.
You can use the security assessment process to assign security levels to zones
and conduits. We recommend that you assign zone and conduit security levels
based on the potential consequences if an attack objective be achieved in that
zone.
For more information, see Security Assessment on page 11.
Design and Install You must install software on specific computers and connect hardware devices
the System to EtherNet/IP™ networks.
IMPORTANT You download software at the Rockwell Automation Product Compatibility

and Download Center (PCDC).
To visit the PCDC, go to: https://compatibility.rockwellautomation.com/
Pages/home.aspx
• FactoryTalk® Policy Manager, version 6.11, and FactoryTalk System Services,
version 6.11, are components of FactoryTalk Services Platform, version 6.11.
When you install FactoryTalk Services Platform, version 6.11, you must select
Customize from the installation wizard and check the boxes for installation
of FactoryTalk Policy Manager and FactoryTalk System Services
components.
For more information, see the FactoryTalk Policy Manager Getting Results
Guide, publication FTALK-GR001.
• FactoryTalk Policy Manager, version 6.20 or later, is an independent
installation package. FactoryTalk System Services, version 6.20 or later, is
part of the FactoryTalk Policy Manager installation.
FactoryTalk Services Platform, version 6.20 or later, do not include
FactoryTalk Policy Manager or FactoryTalk System Services.
• Before you migrate from version 6.11 to version 6.20 or later, we recommend
that you see the following Rockwell Automation Knowledgebase articles that
are available at https://rockwellautomation.custhelp.com/app/home:
– Backup and restore CIP Security models of FactoryTalk Policy Manager and
FactoryTalk System Services, click here
– Fail to migrate existing FactoryTalk System Service data with CIP Security
policy models, click here
– FactoryTalk Policy Manager download and install, click here
We recommend that you use the latest version of FactoryTalk Policy
Manager.

Chapter 3 CIP Security Implementation Process
At a minimum, the IACS design should include the following information:

• Verification of the system components required to implement
CIP Security into the IACS network.
• Inventory of existing devices and software, including
firmware revisions.
• Detailed observation and documentation of intended system functions
and operation.
• Detailed observation and documentation of required data flows
between devices.
Remember, the system can include products that are CIP™ Security-capable
and products that aren’t. The list of CIP Security-capable products that are
currently available from Rockwell Automation are listed at the following:
• CIP Security Software Applications on page 17
• CIP Security-capable Hardware Devices on page 19
IMPORTANT We generally recommend that you design and implement your CIP Security
model before you download your Logix Designer application project to a
Logix 5000 controller.
However, there are some systems in which it is more appropriate to
download a project to the system before you implement CIP Security.
Identify CIP Security-capable and CIP Security-enabled Devices

In FactoryTalk Policy Manager software, version 6.20 or later, and FactoryTalk
Linx software, version 6.20 or later, icons next to devices in browsed lists
indicate the CIP Security-capable state.
Table 8 - CIP Security Device State Icons
Icon Description
The device is CIP Security-capable, but no policy is active.
The device is CIP Security-capable and
The following example shows the CIP Security status of ControlLogix 5580
controllers in FactoryTalk Linx Network Browser.

Unsecure Device Management

You can connect unsecure devices to an IACS with CIP Security implemented.
In this case, the unsecure device is a target device and is not in the CIP Security
model. Devices in the CIP Security model can transmit data to the unsecure
device. The unsecure device, however, cannot transmit data to the devices in
the model.
Identify, Organize, and Zones are groups to which devices are added. Devices that share security
Create Zones requirements for a particular function, and you want to trust each other, can
be added to the same zone.
When devices are added to the zone, communication between the devices is
implied while still letting mutual trust be established through an exchange of
certificates or pre-shared keys. It’s worth noting that any device in a zone that
is deemed to be ‘trusted’ is only trusted by other devices in the same zone, not
all devices in the IACS.
For example, if a ControlLogix® 5580 controller and Kinetix® 5700 drives are
added to Zone 1 and certificates are used with integrity, the devices are
authenticated by exchanging certificates with each other.
If a zone includes devices that are non-CIP Security-capable and CIP Security-
enabled devices, connections to the non-CIP Security-capable devices are not
secured using standard ports.
You can create zones and add other computers/servers that do not use
FactoryTalk Linx software but still require communications to IACS devices.
The devices that do not use FactoryTalk Linx are added as generic devices. This
lets you easily create Trusted IP conduits between the computers/servers to the
IACS devices.
Figure 10 - System Implementation - Zones
PC Zone
Zone 1 Zone 2
2 2 2 2 2 2 2 2 2 2
1 1 1 1 1 1 1 1 1 1
1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
4 4
I/O I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK
+ +
DC INPUT DC INPUT
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16

After you identify and organize the zones, create a detailed security matrix
that lists what devices occupy each zone.
Table 9 is a security matrix with zones and devices.

Table 9 - Security Matrix - Zones and Devices
PC Zone Zone 1 Zone 2
FactoryTalk Linx(1)
FactoryTalk Policy Manager ControlLogix® 5580 controller ControlLogix 5580 controller
1756-EN4TR EtherNet/IP communication module 1756-EN4TR EtherNet/IP communication module
Studio 5000 Logix Designer®(2) Kinetix 5700 servo drives Kinetix 5700 servo drives
FactoryTalk Linx PowerFlex® 755T drive PowerFlex 755T drive
FactoryTalk View
PanelView™ Plus terminal(3) PanelView Plus terminal(3)
(1) This group of software is installed on the same server/computer.
(2) This group of software is installed on the same computer. It’s a second computer, that is, another one from the server/computer on which FactoryTalk Linx, FactoryTalk Policy Manager, and
FactoryTalk System Services is installed.
(3) This device is not CIP Security-capable.
Create a Zone
1. In the FactoryTalk Policy Manager navigation bar, choose Zones.
2. On the toolbar next to ZONES, click [+].

A zone is added to the list with the following default values:

• Name - Zone #
• Description - None
• Enable CIP Security - Not selected by default. Check Enable CIP
Security to configure CIP Security-related settings.
3. Add devices to the zone. You can add devices in three ways:
• Discover devices via FactoryTalk Linx.
• Manually add devices.

Configure the Zone

1. In the FactoryTalk Policy Manager navigation bar, choose Zones.
The ZONES column displays a list of the configured zones.
2. In the ZONES column, choose a zone.
3. Change the properties of the zone as appropriate.
If a zone includes devices that aren’t CIP Security-capable, a warning

notification appears in the zone properties. An AllowedList isn’t needed,
however. All CIP Security-capable devices in the zone automatically allow this
device.
The yellow triangle

indicates that there are
non-CIP Security-capable
devices are in the zone.
For more information on zones, see the following:

• FactoryTalk Policy Manager software online help
• FactoryTalk Policy Manager Getting Results Guide, publication
FTALK-GR001

Identify, Organize, and Conduits create explicit trusted communication pathways between zones,
Create Conduits zones and devices, and between devices in separate zones. After you create,
identify, and organize the conduits, update the security matrix to detail the
conduits.
Figure 11 - System Implementation - Conduits
PC Zone
Conduit 1
Conduit 2
Zone 1 Zone 2
2 2 2 2 2 2 2 2 2 2
1 1 1 1 1 1 1 1 1 1
1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
4 4
I/O I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK
+ +
DC INPUT DC INPUT
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16

Table 10 is an example of an updated security matrix after conduits are

identified and organized.
In the table, the Source row and Destination column cell intersections
represent the endpoints of the Conduit between the zones. For example, cell at
column 2/row 3 indicates that Conduit 2 uses a Zone-to-Zone pathway
between PC Zone and Zone 2.
Table 10 - Security Matrix - Conduits
Destination
Source
PC Zone Zone 1 Zone 2
PC Zone Permit(1) Conduit 1: Zone-to-Zone Conduit 2: Zone-to-Zone
Zone 1 Conduit 1: Zone-to-Zone Permit Denied
Zone 2 Conduit 2: Zone-to-Zone Denied Permit
(1) Default permits pathway.
Create a Conduit
1. In the FactoryTalk Policy Manager navigation bar, choose Conduits.
2. On the toolbar, click [+].
The CONDUIT PROPERTIES pane opens.

3. In Endpoint 1, next to Select an endpoint, choose Browse for

Endpoint [...].
4. Select the endpoint.

You can choose a zone or device to assign as the first endpoint of the
conduit.
In Filter, you can type part of the name to list only endpoints that match that criteria.

5. Click OK.
6. In Endpoint 2, next to Select an endpoint, choose Browse for

Endpoint [...].

7. To assign as the second endpoint of the conduit, choose a zone or device.

You can choose a zone or device to assign as the second endpoint of
the conduit.
In Filter, you can type part of the name to list only endpoints that match that criteria.
8. Click OK.

9. Click Next.
The first conduit appears in the Conduits list.
If you must create another conduit, repeat the process, starting at step 2
on page 50.

Configure the Conduit

1. In the FactoryTalk Policy Manager navigation bar, choose Conduits, and
choose the conduit that you want to configure.
CONDUIT PROPERTIES is automatically opened to the most recently configured conduit.

To edit another conduit, select a conduit from the list to display its properties.
2. Change the conduit properties as needed.

If both endpoints are CIP Security capable, configure CIP Security

Communication.
• In I/O Data Security and Messaging Security choose one of
the following:
- Integrity only - Use to check if the data or message was altered and
reject altered information.
- Integrity & Confidentiality - Use to check integrity plus encrypt the
data or message so the corresponding decryption key is required to
read the information. Rejects altered and/or untrusted information
while also protecting the confidentiality of the information.
• In I/O Data Security, click None to stop using additional security
checks on I/O data.
For more information on conduits, see the following:

• FactoryTalk Policy Manager software online help
• FactoryTalk Policy Manager Getting Results Guide, publication
FTALK-GR001

Identify and Create Security Security policies are created based on device capabilities and operational
Features/Policies functions of automation applications.
Figure 12 - System Implementation - Security Policies
PC Zone
Conduit 1
Conduit 2
Zone 1 Zone 2
2 2 2 2 2 2
1 1 1 1 1 1
I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B
1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B UFB-A UFB-B
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK
+ +
DC INPUT DC INPUT
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16
After you identify and create security features/policies, update the security
matrix that details applicable security policies between conduits. For example,
enable certificates or pre-shared keys, enable/disable confidentiality and
AllowedList.
Table 11 is an updated security matrix with security features and policies

defined.
Table 11 - Security Matrix - Security Features and Policies
Conduit 1 Zone to Zone Security Policy
Secure FactoryTalk Linx Communication
Zone to Zone • Certificates
PC Zone Zone 1 • Integrity
(Secure communication with FactoryTalk Linx.) • Confidentiality
Conduit 2 Zone to Zone Security Policy

Secure FactoryTalk Linx Communication
Zone to Zone • Certificates
PC Zone Zone 2 • Integrity
(Secure communication with FactoryTalk Linx.) • Confidentiality
Trusted IP (AllowedList) Zone/Device to Zone/Device

• Kinetix 5700 drive (IP address: xxx.xxx.xxx.xxx)
• ControlLogix 5580 controller (IP address: xxx.xxx.xxx.xxx0
Zone 1 - Devices • 1756-EN4TR module (IP address: xxx.xxx.xxx.xxx)
PC Zone • PanelView Plus terminal: (IP address: xxx.xxx.xxx.xxx)
Device - FactoryTalk • PowerFlex 755T drive (IP address: xxx.xxx.xxx.xxx)
(Non-CIP Security-capable devices) Network Manager • Kinetix 5700 drive (IP address: xxx.xxx.xxx.xxx)
(IP address: xxx.xxx.xxx.xxx) • ControlLogix 5580 controller (IP address: xxx.xxx.xxx.xxx0
Zone 2 - Devices • 1756-EN4TR module (IP address: xxx.xxx.xxx.xxx)
• PanelView Plus terminal: (IP address: xxx.xxx.xxx.xxx)
• PowerFlex 755T drive (IP address: xxx.xxx.xxx.xxx)

Deploy Security Model After the zones, conduits, and devices security policies have been configured,
the resulting security model can be deployed.
You click the Deploy button in FactoryTalk Policy Manager software to trigger
FactoryTalk System Services to deploy the security model. FactoryTalk System
Services runs in the background. You do not take action in the client.
IMPORTANT Before a deployed security model becomes active, communication must be

reset to all configured devices, resulting in a short loss of connectivity.
Once the security model is deployed and active, that is, communication is reset
on a device, the device only accepts communication from other devices in the
same zone or using conduits that are configured to enable communication
with other security zones or devices.
Before deploying a security model, make sure that all devices are operational
and have network access.
After the security model is deployed and active on all affected devices,
FactoryTalk Policy Manager and FactoryTalk System Services are no longer
required for real-time operations. They’re required again if changes to the
security model must be deployed.
To deploy the model, complete the following steps.
1. On the FactoryTalk Policy Manager toolbar, select Deploy.

2. Review the Deploy dialog box.

The list of devices identifies the devices to be configured when this model
is deployed.
IMPORTANT If the list contains unexpected devices, click CANCEL and then change
the model as needed.
3. Complete the following steps.
a. Choose the Deployment scope based on your application.
• Select Changed device communication ports only for differential
deployment.
• Select All device communication ports in the model for full
deployment.
We recommend that you use the default option. That is, Changed
device communication ports only.

b. Choose one of the following options for when to reset the

communication channels for the items included in the security model.
The following types of deployment are available:
• During deployment - The CIP connection is closed and reopened on
the device during the deployment process.
Similar to when the network card on a computer is reset, the device
stays functional but is disconnected from the network for a few
moments. This option applies the new policy to the device when the
policy is deployed.
• After deployment - Security policy changes are applied to devices with
existing connections only after those connections are closed and
reopened. For example, you can close and reopen existing connections
by cycling power to a device, or by inhibiting and uninhibiting the
connection.
IMPORTANT With the After deployment option, the security policy is applied to
each connection individually. If the connection reset is postponed
and an unexpected connection drop occurs, the system can enter a
state in which the security policy operates only in parts of the
system.
In this case, unexpected connection outages can occur. Connection
outages are difficult to track. We recommend that you use extreme
caution when using the After deployment option.
This option is useful if there’s a scheduled maintenance reset process
in your environment that can be relied upon to perform this function.

4. Click DEPLOY.
The Results pane updates with the results of the deployment as it occurs. After
deployment is complete a summary report is provided listing the successes,
failures, and errors encountered during the process.
For information on how to deploy a security model, see the FactoryTalk Policy
Manager Getting Results Guide, publication FTALK-GR001.

Back Up the Security Model You aren’t required to back up the security model. However, we strongly
recommend that you back it up after each policy deployment to keep the
backup files synchronized with the current security policy.
Back up FactoryTalk System Services to save a copy of the security model and
its associated certificates. After the model has been created, the FactoryTalk
System Services backup file is included with the FactoryTalk Services Platform
backup when it’s performed.
IMPORTANT You must have Administrator privileges to back up FactoryTalk System

Services.
To back up the security model, complete the following steps.

1. Open a command prompt as an Administrator.
2. In the command prompt window type:
cd C:\Program Files (x86)\Rockwell Software\FactoryTalk System
Services
3. Run the backup utility by typing one of the following commands:
• FTSSBackupRestore -B -PW "password" (FactoryTalk System Services,
version 6.11)
• FtssBackupRestore -B -P "password" (FactoryTalk System Services,
version 6.20 or later)
Creates an encrypted backup of the data using the password that is
supplied in quotation marks. This password must be supplied to
restore the data.
The backup uses 7-zip to password-encrypt the archive file with AES-
256. The headers are also encrypted so the names of the files within the
archive are encrypted.
4. The password-protected backup file named FTSS_Backup.7z is created.
The file is included in the FactoryTalk Services Platform Backup.
Verify that the file is present in the following location:
C:\ProgramData\Rockwell\RNAServer\Global\RnaStore\FTSS_Backup
The ProgramData folder is hidden by default in Windows File
Explorer.
Save Security Model Backup to Another Secure Location

We recommend that you save the backup.zip file to another secure location
and the FTSS_Backup folder described previously.
Different From FactoryTalk Directory Backup File

FactoryTalk Directory provides a central lookup service for all products
participating in an application, including FactoryTalk System Services
application. We recommend that you create FactoryTalk backup files to
preserve and restore a FactoryTalk system if there’s a systems failure.
To be clear, a FactoryTalk Directory backup excludes product backup files. You
must back up individual applications separately from a FactoryTalk Directory
backup. However, once you create a backup of the Security Model
(FTSS_Backup folder), this folder is included in the FactoryTalk Directory
Backup when performed.
For more information on how to back up the FactoryTalk Directory, see the
FactoryTalk Security System Configuration Guide,
publication FTSEC-QS001.
Restore FactoryTalk Restore FactoryTalk System Services to return the FactoryTalk System Services
System Services databases to a known good state.
IMPORTANT Consider the following:

• If you restore FactoryTalk System Services, the security model backup folder
is automatically deleted. For this reason, we recommend that you save the
security model backup file in a separate location, as described on page 62.
• Restoring FactoryTalk System Services requires administrator privileges.
To restore a FactoryTalk System Services database, complete the following

steps.
1. Verify the backup.zip file is present in the following location:
C:\ProgramData\Rockwell\RNAServer\Global\RnaStore\FTSS_Backup
2. Open a command prompt as an Administrator.
3. In the command prompt window type:
cd C:\Program Files (x86)\RockwellSoftware\FactoryTalk System
Services.
4. Run the FactoryTalk System Services Backup & Restore Utility by typing
one of these commands:
• FTSSBackupRestore -R -PW "password" (FactoryTalk System Services,
version 6.11)
or
• FTSSBackupRestore -R -P “password” (FactoryTalk System Services,
version 6.20 or later)
Restores an encrypted backup of the databases that is decrypted using
the password that is supplied after the -P parameter. Quotation marks
are optional.
You can restore a FactoryTalk System Services database backup in a later

revision of software. For example, you can open a backup of a FactoryTalk
System Services database, version 6.11 with version 6.20 or later.
IMPORTANT Before you migrate from version 6.11 to version 6.20 or later, we recommend
that you see the following Rockwell Automation Knowledgebase articles that
are available at https://rockwellautomation.custhelp.com/app/home:
– Backup and restore CIP Security models of FactoryTalk Policy Manager and
FactoryTalk System Services, click here.
– Fail to migrate existing FactoryTalk System Service data with CIP Security
policy models, click here.
– FactoryTalk Policy Manager download and install, click here.
We recommend that you use the latest version of FactoryTalk Policy
Manager.

Remove the Security Policy If necessary, you can remove the security policy from software applications
and hardware devices.
Remove the Security Policy From a Software Application

You can use the following to remove the security policy from FactoryTalk Linx:
• FactoryTalk Policy Manager
When you use the FactoryTalk Policy Manager method, you not only
remove the security policy from FactoryTalk Linx. The computer with
FactoryTalk Linx on it also no longer appears in FactoryTalk Policy
Manager.
The FactoryTalk Policy Manager method only works if the computer with
FactoryTalk Policy Manager is accessible to the computer with
FactoryTalk Linx on it.
• FactoryTalk Administration Console
If the computer with FactoryTalk Policy Manager isn’t accessible to the
computer with FactoryTalk Linx on it, you must use the FactoryTalk
Administration Console method.
When you use the FactoryTalk Administration Console method, you
remove the security policy from FactoryTalk Linx.
You must then return to FactoryTalk Policy Manager to delete the
computer with FactoryTalk Linx, and then you redeploy the model so that
other devices can update their trust models.
Remove Security Policy From FactoryTalk Linx Via FactoryTalk Policy Manager
1. In the FactoryTalk Policy Manager navigation bar, select Devices, and
then select the device.

2. Above the list of devices, click Delete.
After you click Delete, the device stays in the table but is crossed out. The
device no longer appears in the list after you deploy the updated security
model and state in the next step.
3. Deploy the security model as described starting on page 58, and choose to
reset the communication channels During deployment.

Remove Security Policy From FactoryTalk Linx Via FactoryTalk Administration

1. Start FactoryTalk Administration Console for an IACS that is online and
has a security policy in place.
2. At the bottom of the Explorer pane, click the Communications tab.
3. Right-click the FactoryTalk Linx and choose Properties.

The Device Properties dialog box appears.

4. Complete the following steps.
b. Click the Reset CIP Security.
c. Click OK.
For more information on how to use FactoryTalk Administration Console, see

the software online help.

Remove the Security Policy From a Device

You can use the following ways to remove the security policy from a device:
• Via FactoryTalk Policy Manager - Two methods with this option.
- Option 1 - Change the device security policy.
- Option 2 - Delete the device from the security model.
The FactoryTalk Policy Manager methods only work if the computer with
FactoryTalk Policy Manager is accessible to the device.
• Reset device to factory default settings
If the computer with FactoryTalk Policy Manager is not accessible to the
device, you can use this method.
Remove Security Policy From a Device Via FactoryTalk Policy Manager - Option 1
PORT PROPERTIES are displayed.

2. In the Policies area, change the security policies for the device.

In Zone, choose either Unassigned or a zone that is not CIP Security

enabled.
The device security policy is reset to none.

Remove Security Policy From a Device Via FactoryTalk Policy Manager - Option 2
2. Above the list of devices, click Delete.

After you click Delete, the device stays in the table but is crossed out.
After you deploy the updated security model and state, the device no
longer appears in the list.
IMPORTANT If the device can’t be reached when the Deploy attempts to clear the security
policy from the device, the attempt fails and the security policy remains in
the device.
Remove Security Policy From a Device By Resetting Device to Factory Default State
You can remove the security policy from a device by resetting the device to its
factory default state.
IMPORTANT The methods by which you reset devices to their factory default, and the
conditions of each device when it is in its factory default state, vary.
Before you reset a device to its factory default state to remove the security
policy, be aware of the impact the reset can have on your IACS in general.
Resetting a device to its factory default state can affect the overall system in
ways unrelated to CIP Security.
For information on how to reset a device to its factory default state, see the
technical documentation for the device.

Set Mask Parameters on You can only apply CIP Security to the built-in EtherNet/IP interface on
PowerFlex 755T Drives to PowerFlex 755TL/TM/TR/TS products. There are ports in addition to the built-
in EtherNet/IP interface that you should secure.
Maintain Security
There are ports on these products where Human Interface Modules (HIMs)
and communication option cards can connect. You can secure these ports by
configuring mask parameters in the host PowerFlex product.
Device Peripheral Interface (DPI) Ports

HIMs and serial communication devices can connect to PowerFlex 755TL/TM/
TR/TS products at DPI™ ports 1…3. These include the following devices:
• 20-HIM-A6
• 20-HIM-C6S
• 1203-USB
Port 1 is the HIM cradle on the control pod. Ports 2 and 3 are accessible through
the DPI connector on the back of the HIM cradle on the control pod.
Communication option cards can connect to DPI ports 4…6. The cards include
the following devices:
• 20-750-CNETC
• 20-750-DNET
• 20-750-ENETR
• 20-750-PBUS
• 20-750-PNET
• 20-750-PNET2P
These ports are option card slots in the control pod.

DPI Port Possible Devices
1 20-HIM-A6
2 and 3 20-HIM-A6, 20-HIM-C6S, and 1203-USB
20-750-CNETC, 20-750-DNET, 20-750-ENETR, 20-750-PBUS, 20-750-PNET, and
4…6 20-750-PNET2P

Setting Masks to Secure the DPI Ports

Perform the following configurations from a tool such as Connected
Components Workbench™ software or Logix Designer application. You need
to understand the following parameters
• 0:41 [Logic Mask]
• 0:230 [Write Mask Cfg]
• 0:231 [Write Mask Act].
For more information, see the PowerFlex Drives with TotalFORCE Control
Programming Manual, publication 750-PM101.
1. Identify which ports contain HIMs, serial communication devices and
communication option cards.
For example, this drive has a HIM at port 1 and a PROFINET option card
in port 6.
2. Clear the corresponding bits in the parameter 0:41 [Logic Mask].

In our example we must disable port 1 and port 6. We must clear the
corresponding bits 1 and 6.
Clearing the bit that corresponds to the port helps prevent a device at that port
from controlling the logic command (start, stop, and so forth) of the host
product.

3. Clear the corresponding bits in the parameter 0:230 [Write Mask Cfg].
In our example we must disable port 1 and port 6. We must clear the
corresponding bits 1 and 6.
Clearing the bit that corresponds to the port helps prevent a device at
that port from writing values to any of the parameters in the host
product.
4. Cycle power or perform a reset to allow the configuration in parameter
0:230 [Write Mask Cfg] to take effect.
5. Verify that the corresponding bits are properly set in parameter 0:231
[Write Mask Act].

Use Syslog with CIP Security

IMPORTANT The following products support Syslog:
• FactoryTalk Linx, version 6.21 or later
• ControlLogix 5580 controllers, firmware revision 34.011 or later
• GuardLogix® 5580 controllers, firmware revision 34.011 or later
• 1756-EN4TR EtherNet/IP communication module, firmware revision 4.001 or
later
• 1783-CSP CIP Security Proxy, firmware revision 1.001 or later
• PowerFlex 755T drives, firmware revision 10.001 or later
Syslog is a standardized and widely used event message logging technology.

Syslog is a standard for event logging. You use Syslog to generate, store, report
and analyze security-related events.
When syslog operates over a network, it uses a client-server architecture in
which a syslog server monitors for, and logs, messages coming from clients.
CIP Security-capable devices are syslog-capable. To enable and configure

syslog in certified security applications, you must implement CIP Security.
Syslog Collector
A Syslog collector stores event messages that are sent from the generating
device to the collector.
IMPORTANT The syslog collector and the generating device must be connected to the
same Ethernet network.
If you use another tool as the Syslog collector, it must support the following:
• RFC-5424 syslog protocol
• Ability to receive messages from CIP Security-enabled devices
You must configure an IP address for the Syslog Collector in FactoryTalk Policy
Manager software.
Define Event Policy in FactoryTalk Policy Manager

Administrators use FactoryTalk Policy Manager software to define the event
generation policy for Rockwell Automation endpoints with no separate tools,
no custom UIs, no setting up individual devices.
Also known as Secure Eventing, this service uses the following communication
protocols to log messages:
• UDP - A protocol that gives good performance for a high volume of
messages, however, it can lose data during network issues.
• TCP - A protocol that is best suited for high-priority messaging.

To use syslog in FactoryTalk Policy Manager software, complete the

following tasks.
1. Enable Security Eventing.
2. Configure the IP address of the syslog collector.
3. Configure endpoint filtering based on the following:
- Severity Level of Information based on the descriptions in Table 13 on
page 77.
- Log failures - Select whether only failures or both successes and
failures are logged.
4. Change the port of the syslog server.
5. Set the protocol - TCP or UDP.
6. Enable Sequence ID and Time Quality.
7. Select what details are included in events, that is, Sequence ID and/or
Time Quality.
When an event occurs, the syslog generates an event that includes metadata
that is related to the syslog configuration.
For example, if an unauthorized device that uses IP address 192.168.1.102 tries

to make a connection to a device in the system. The connection attempt is
denied and the syslog generates an event that indicates that an unauthorized
device tried to make the connection.
In this case, the event ID = cipsec_tls_srv_session_failed, event=13. The syslog

indicates the time, in milliseconds or nanoseconds, when the event occurred.
Facility Codes and Severity Levels

When detected, each message is labeled with a facility code and is assigned a
severity level.
Facility Codes
Table 12 describes the facility codes that syslog uses to label events.
Table 12 - Syslog Event Facility Codes
Category ID Facility Code Definition
For future use, no events belong to this
null 0 local0(16) category.
comms 1 local0(16) A general communications-related event.
config 2 local0(16) A general configuration-related event.
diag 3 syslog(5) A general fault or error diagnostic.
stat 4 local0(16) A general event providing statistical data.
alert 5 syslog(5) A general event-related to a potential threat.
control 6 local0(16) A general control system-related event.
audit 7 local0(16) A general audit log-related event.
backup 8 local0(16) A general backup or restore-related event.
security 9 auth(4) A general security-related event.
cip 10 local0(16) A CIP-related event.
http 11 local0(16) A web server or client-related event.
opc 12 local0(16) An OPC or OPC-UA-related event.
log 13 local0(16) A log-related event.
cert 14 local0(16) A certificate-related event.
discovery 15 local0(16) A system discovery-related event.

Table 12 - Syslog Event Facility Codes

Category ID Facility Code Definition
auth 16 auth(4) An account management-related event.
sys 17 local7(23) A general system-related event.
cipsec 18 auth(4) A CIP Security-related event.
Severity Levels
Events can have security risks that can take many forms, for example:
• Threat actors that try to gain unauthorized, and undetected, access to an
IACS network with the intention to commit malicious acts.
• Well-intentioned personnel with no malicious intention but who make
mistakes that can result in unintended consequences.
Table 13 describe the severity levels as defined by The Syslog Protocol, RFC
5424, standard.
Table 13 - Event Security Risk Severity Levels
Severity Name Severity Level Definition
emrg 0 Emergency System is unusable.
alrt 1 Alert Should be corrected immediately.
crit 2 Critical Critical condition.
err 3 Error Error condition.
warn 4 Warning Error may occur if action not taken.
note 5 Notice Events are unusual.
info 6 Informational Normal operations, no action required.
audit 7 Audit Information for the audit system.
dbg 8 Debug Information for developers.
Syslog Message List

For a complete list of syslog messages, see the Logix 5000 Controller and I/O
Fault Codes and Syslog Messages Reference Data, publication 1756-RD001.

Notes:

Chapter 4
CIP Security Implementation

Example Architecture
This section describes an example IACS with CIP Security™ implemented.
Phase One of In the first phase of the CIP™ Security implementation, you secure
Implementation communication between the Computer (PC) zone and each IACS zone. The
degree to which you secure communication depends on your system needs.
For more information on the CIP Security properties that you can use to secure
communication, see Secure Data Transport on page 15.
We recommend that you secure communication between the Computer zone

to each IACS zone because it presents the most vulnerabilities from Windows-
based operating systems.
In this phase, you complete the following tasks:
• Create Zones
• Create Zone-to-Zone Conduits
• Deploy Security Policies
Create Zones
Create zones and all applicable devices including CIP Security-capable and
non-CIP Security-capable devices.
• PC Zone (FactoryTalk® Site servers and engineering workstations
[EWS])
• Cell Zone A (Controller zone)
• Cell Zone B (I/O zone)
• Cell Zone C (Controller zone)
IMPORTANT The example zones that are shown in this section are all in the same subnet/
VLAN.

Chapter 4 CIP Security Implementation Example Architecture
Figure 13 - CIP Security Architecture - Zones
PC Zone

FactoryTalk System Services Studio 5000 Logix Designer®
FactoryTalk Linx FactoryTalk View
Cell Zone A Cell Zone B Cell Zone C

DC INPUT DC INPUT
OK
2 2 2 2 2 2 2 2 2 2
LINK 1
1 1 1 1 1 1 1 1 1 1
LINK 2
DEVICE 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
PORT 4
I/O
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
L85_Line1 L85_Motion
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK
1756-EN4TR module 1756-EN4TR module

+ +
1783-CSP
1 2
(rear) (front)
1734-AENTR
Kinetix® 5700 Kinetix 5700
1783-CSP Proxy module
servo drives_1 servo drives__2
POINT I/O™
modules
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16
PanelView™ Plus PanelView Plus terminal

terminal_1
PowerFlex® 755T PowerFlex 755T PowerFlex 755T PowerFlex 755T
drive drive drive drive
Table 14 is a security matrix with zones and devices.

Table 14 - Security Matrix - Zones
PC Zone Software Cell Zone A Cell Zone B Cell Zone C
FactoryTalk Linx(1)
FactoryTalk Policy Manager L85_Line1 Kinetix 5700 servo drives_1 L85_Motion
1783-CSP proxy PanelView Plus terminal(2)
1734-AENTR module(2) PowerFlex 755T drive
Studio 5000 Logix Designer(1) (2) Kinetix 5700 servo drives_2
FactoryTalk View PanelView Plus terminal_1 PowerFlex 755T drive
PowerFlex 755T drive
PowerFlex 755T drive
(1) This group of software is installed on the same server/computer.

(2) This device is not CIP Security-capable.

Create Zone-to-Zone Conduits

1. Create zone-to-zone conduits for secure CIP-connection from the
FactoryTalk Linx data server and engineering workstation in the PC zone
to each of the respective Controller zones named Cell Zone A, B, and C.
• PC Zone to Cell Zone A
• PC Zone to Cell Zone B
• PC Zone to Cell Zone C
Figure 14 - CIP Security Architecture - Conduits
PC Zone

FactoryTalk System Services Studio 5000 Logix Designer

DC INPUT DC INPUT
OK
2 2 2 2 2 2 2 2 2 2
LINK 1
1 1 1 1 1 1 1 1 1 1
LINK 2
DEVICE 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
PORT 4
I/O
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK

+ +
1783-CSP
1 2
(rear) (front)
1734-AENTR
1783-CSP Proxy module Kinetix 5700 Kinetix 5700
POINT I/O servo drives_1 servo drives_2
modules
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16
PanelView Plus PanelView Plus terminal

terminal_1
PowerFlex 755T PowerFlex 755T PowerFlex 755T PowerFlex 755T

Table 15 - Security Matrix - Conduits
Destination
Source
PC Zone Cell Zone A Cell Zone B Cell Zone C
PC Zone (1) Conduit 1: Zone-to-Zone Conduit 2: Zone-to-Zone Conduit 3: Zone-to-Zone
Permit
Cell Zone A Conduit 1: Zone-to-Zone Permit Denied Denied
Cell Zone B Conduit 2: Zone-to-Zone Denied Permit Denied
Cell Zone C Conduit 3: Zone-to-Zone Denied Denied Permit
(1) Default pathway.

Configure Conduit Security Policies

Configure the conduit security policies that use certificates and message
integrity in the following ways:
• Between the FactoryTalk Linx software to the ControlLogix® 5580
controller in Cell Zone A (Controller zone).
• Between the FactoryTalk Linx software and the Kinetix 5700 drives in
Cell Zone B (I/O zone).
• From the FactoryTalk Linx software to the ControlLogix 5580 controller
in Cell Zone C (Controller zone) through a 1756-EN4TR communication
module.
Optionally, you can establish an allowed list from the PC zone to each IP
address of the non-CIP Security-capable devices.
Figure 15 - CIP Security Architecture - Conduit Security Policies
PC Zone


DC INPUT DC INPUT
OK
2 2 2 2 2 2 2 2 2 2
LINK 1
1 1 1 1 1 1 1 1 1 1
LINK 2
DEVICE 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
PORT 4
I/O
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK

+ +
1783-CSP
1 2
(rear) (front)
1734-AENTR
modules
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16

terminal_1
Integrity
Zone to Zone Conduit
Certificate
Allowed

Table 16 is an example of an updated security matrix after the conduit security

policies are configured.
Table 16 - Security Matrix - Conduit Security Policies Matrix
Secure Linx Communication: Conduits 1, 2, and 3 Zone to Zone Security Policy
PC Zone Cell Zone A • Certificates
Zone to Zone PC Zone Cell Zone B • Integrity
(Secure communication with FactoryTalk Linx.)
PC Zone Cell Zone C • Confidentiality
Trusted IP (allowed) Zone Device-to-Zone Device

• L85_Line1 (192.168.1.8)
• 1756-EN4TR module (192.168.1.9)
• 1783-CSP proxy (192.168.1.10)
Cell Zone A - Devices • 1734-AENTR module (192.168.11)
PC Zone • PanelView Plus terminal_1 (192.168.1.12)
Device: FactoryTalk® • PowerFlex 755T drive (192.168.1.13)
(Non-CIP Security-capable devices) • PowerFlex 755T drive (192.168.1.14)
Network Manager™
IP address: 192.168.1.100 • L85_Motion (192.168.3.8)
• 1756-EN4TR module (192.168.3.9)
Cell Zone C - Devices • PanelView Plus terminal (192.168.3.10)
• PowerFlex 755T drive (192.168.3.11)
Deploy Security Policies

Deploy the security policies to the devices as described on page 58.

Phase Two of In the second phase of the CIP Security implementation, you secure
Implementation communication between device to device for micro-segmentation. You use the
existing zones that are created in the first phase.
Create a Device-to-Device Conduit

Create a device-to-device conduit for secure CIP-connection from the
ControlLogix 5580 controller in Cell Zone A (Controller zone) to the
ControlLogix 5580 controller in Cell Zone C (Controller zone).
Figure 16 - CIP Security Architecture - Device-to-Device Conduit Added
PC Zone


DC INPUT DC INPUT
OK
2 2 2 2 2 2 2 2 2 2
LINK 1
1 1 1 1 1 1 1 1 1 1
LINK 2
DEVICE 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
PORT 4
I/O
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK

+ +
1783-CSP
1 2
(rear) (front)
1734-AENTR
Kinetix 5700 Kinetix 5700
1783-CSP Proxy module
modules
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16

terminal_1
Integrity
Certificate
Device to Device Conduit
Allowed

Create a Zone-to-Device Conduit

Create a zone-to-device conduit from the Kinetix 5700 drives in Cell Zone B (I/
O zone) to the ControlLogix 5580 controller in Cell Zone C
(Controller zone).
Figure 17 - CIP Security Architecture - Zone-to-Device Conduit Added
PC Zone


DC INPUT DC INPUT
OK
2 2 2 2 2 2 2 2 2 2
LINK 1
1 1 1 1 1 1 1 1 1 1
LINK 2
DEVICE 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
PORT 4
I/O
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK

+ +
1783-CSP
1 2
(rear) (front)
1734-AENTR
modules
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16

terminal_1
Integrity
Certificate
Allowed Zone to Device Conduit

Table 17 - Security Matrix - Device-to-Device and Zone-to-Zone Conduits Added
Destination
Source
PC Zone Cell Zone A Cell Zone B Cell Zone C
PC Zone Permit(1) Conduit 1: Zone-to-Zone Conduit 2: Zone-to-Zone Conduit 3: Zone-to-Zone
Cell Zone A Conduit 1: Zone-to-Zone Permit Denied Conduit 4: Device-to-Device
Cell Zone B Conduit 2: Zone-to-Zone Denied Permit Conduit 5: Zone-to-Device
Cell Zone C Conduit 3: Zone-to-Zone Denied Denied Permit
(1) Default pathway.

Create Conduit Security Policies

Create the conduit security policies that use certificates, message integrity,
and data encryption between endpoints in Conduit 4 and Conduit 5.
Figure 18 - CIP Security Architecture - Conduit Security Policies
PC Zone


DC INPUT DC INPUT
OK
2 2 2 2 2 2 2 2 2 2
LINK 1
1 1 1 1 1 1 1 1 1 1
LINK 2
DEVICE 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
PORT 4
I/O
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK

+ +
1783-CSP
1 2
1734-AENTR
(rear) (front)

modules
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16

terminal_1
Integrity
Certificate
Allowed
Zone to Device Conduit
Encryption

Table 18 is an example of an updated security matrix after the conduit security

policies are configured.
Table 18 - Security Matrix - Conduit Security Policies Matrix
Secure Linx Communication: Conduits 1, 2, and 3 Zone-to-Zone Security Policy
PC Zone Cell Zone A • Certificates
Zone to Zone PC Zone Cell Zone B • Integrity
(Secure communication with FactoryTalk Linx.)
PC Zone Cell Zone C • Confidentiality
Secure Controller Communication: Conduit 4 Device-to-Device Security Policy

• Certificates
(Secure communication with originator and target) L85_Line1 L85_Motion • Integrity
• Confidentiality
Secure I/O Communication: Conduit 5 Zone-to-Device Security Policy

• Certificates
(Secure communication with originator and L85_Motion Cell Zone B • Integrity
target)
• Confidentiality
Trusted IP (allowed) Zone Device to Zone Device

• L85_Line1 (192.168.1.8)
• 1756-EN4TR module (192.168.1.9)
• 1783-CSP proxy (192.168.1.10)
Cell Zone A - Devices • 1734-AENTR module (192.168.11)
PC Zone • PanelView Plus terminal_1 (192.168.1.12)
Device: FactoryTalk • PowerFlex 755T drive (192.168.1.13)
(Non-CIP Security-capable devices) • PowerFlex 755T drive (192.168.1.14)
Network Manager
IP address: 192.168.1.100 • L85_Motion (192.168.3.8)
• 1756-EN4TR module (192.168.3.9)
Cell Zone C - Devices • PanelView Plus terminal (192.168.3.10)
Deploy Security Policies

Deploy the updated security policies to the devices as described on page 58.

Notes:

Chapter 5
Add or Replace A Device In a CIP Security System
This section describes how to perform the following tasks in an IACS with CIP
Security™ implemented:
• Add a new device
• Replace a device
The processes for adding or replacing a device differ based on whether the
device supports Automatic Policy Deployment (APD).
APD lets EtherNet/IP™ endpoints, for example, field devices, initiate
deployment of security policies that are defined on a system server. This
feature makes it easier to add and replace CIP™ Security-capable devices that
support APD to an IACS with CIP Security implemented.
Automatic Policy APD leverages ODVA's CIP Security Pull Model concept that enables EtherNet/
Deployment IP endpoints, for example, field devices, to initiate deployment of policies
defined on a system server. That is, a CIP Security-capable endpoint can obtain
a certificate from the certificate authority.
During the onboarding process, the devices are discovered, identified, and
provisioned with identities and temporary policies. The onboarded devices can
then be merged into the security model and have their policies deployed
automatically.
By using APD, you can improve the system:

• Operational readiness level
• Uptime
• Security (by provisioning security policies to field devices as soon as they
power up)

Chapter 5 Add or Replace A Device In a CIP Security System
Table 19 lists the products that support APD.

Table 19 - Automatic Policy Deployment Requirements
Software or Component Minimum Software Version Minimum Firmware Revision
FactoryTalk Policy Manager 6.30 —
FactoryTalk System Services 6.30 —
FactoryTalk Linx 6.30 —
CompactLogix 5380 Controllers — 34.011
CompactLogix 5380 Process Controllers — 34.011
Compact GuardLogix™ 5380 Controllers — 34.011
(1) — 34.011
ControlLogix 5580 Controllers
ControlLogix 5580 Process Controllers — 34.011
1756-EN4TR ControlLogix EtherNet/IP — 4.001
Communication Module
GuardLogix 5580 Controllers — 34.011
(1) This includes ControlLogix 5580 standard and XT controllers.
APD requires a system server with FactoryTalk Policy Manager installed and
FactoryTalk System Services running.
After the FactoryTalk Policy Manager installation, FactoryTalk System Services start
automatically with Windows® and run independently from FactoryTalk Policy Manager.
FactoryTalk System Services operate in the background even if the FactoryTalk Policy
Manager application is closed.
Enable Automatic Policy Deployment

By default, APD is enabled in the products that support it, that is, those listed
in Table 19.
However, by default, APD is disabled in FactoryTalk Policy Manager software.
To enable APD, you must check the boxes in the Automatic Policy Deployment
section of FactoryTalk Policy Manager software. The Automatic Policy
Deployment section is in the software’s global settings.
IMPORTANT: If Enable automatic secured device

replacement is not enabled, the security policy is not
automatically deployed to a new device. In this case,
you must manually start the deployment process.

Deployment Operation
APD discovers the device on the network that you can add to the security
model.
IMPORTANT • The server with the certificate authority, that is, FactoryTalk System
Services, must be turned on and connected to the EtherNet/IP network.
• APD can onboard and merge only one EtherNet/IP device interface. This
applies to CompactLogix 5380 and Compact GuardLogix 5380 controllers
when they’re configured for Dual-IP mode.
The following steps occur when an endpoint uses APD:

1. The endpoint uses the Domain Name Server-based Service Discovery
(DNS-SD) technology to discover the server.
If FactoryTalk System Services and FactoryTalk Policy Manager are on a
different subnet or VLAN, you need an external DNS-SD server or a switch with
technology that bridges mDNS over subnets.
2. The server acknowledges the endpoint via FactoryTalk System Services.
3. The endpoint uses the Enrollment over Secure Transport (EST)
technology to request a certificate from that server.
4. The server sends the endpoint a certificate and temporary policy.
Figure 19 - Steps to Using APD
4
3
2
1
DC INPUT
MOD MOD MOD MOD MOD

NET NET NET NET NET
2 2 2 2 2
1 1 1 1 1
F1 F9
1 6 1 6 1 6 1 6 1 6 1 6 1 6
4 F2 F10
I/O
5
UFB
10 5
UFB-A
10 5
UFB-B
10 5
UFB-A
10 5
UFB-B
10 5
UFB-A
10 5
UFB-B
10 F3 F11
F4 F12
F5 F13
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-

F6 F14
F7 F15
F8 F16
-
MBRK
+

Depending on your requirements, you can set APD to:

• Automatically or manually deploy the configuration of discovered
devices that match the devices in the security model.
• Allow or restrict the devices in the Onboarding Area from connecting
with other devices in the network.
The APD process is independent from the manual security policy deployment process.
The manual security policy model deployment process can interrupt the APD process.
Once the security model is deployed, APD continues adding and merging the
discovered devices.
For auditing and troubleshooting purposes, APD indicates changes to the
security model with:
• The Results pane updates.
• Toast notifications for onboarding devices and merged devices.
• The following icons throughout the FactoryTalk Policy Manager
interface:
Icon Event
Devices newly added to the Onboarding Area.
Automatically merged and deployed devices.
Automatically merged devices.
*
Onboarding
The onboarding process automatically identifies EtherNet/IP endpoints and
provisions certificates and temporary policies. Once the onboarding process
finishes, the identified devices are placed in the Onboarding Area.
The devices in the Onboarding Area aren’t a part of the security model. You
can’t add a conduit to the Onboarding Area or to any onboarding device.
Depending on the onboarding policy, you can allow or restrict the onboarding
devices from connecting with other devices in the network.
While you can restrict communication over the EtherNet/IP network, you
cannot restrict communication over the backplane. For example, you can
restrict connections to a ControlLogix 5580 controller via its Ethernet port.
However, a module in the same chassis can still communicate with the
controller via the backplane.
When the device is in the Onboarding area, there is security because other
devices can’t communicate with the device. You must add the device to the
FactoryTalk Policy Manager security model for other devices to communicate
with it.
You can manually move the devices from the Onboarding Area into the
security model.
IMPORTANT When you move a device from the Onboarding Area to a zone or make the
device unassigned, you can’t assign the device to the Onboarding Area
again.
If you delete a device that can be discovered by APD, FactoryTalk Policy

Manager prompts you to:
• Disable the automatic discovery for the endpoint to help prevent the
device from reappearing in the Onboarding Area.
• Keep the automatic discovery enabled to restore the device in the
Onboarding Area.

Device Does Not Appear in Onboarding Area
It is possible that a device that supports APD is connected to the network and
doesn’t appear in the Onboarding area of FactoryTalk Policy Manager
software.
If the APD function is disabled on the device, it does not appear in the
Onboarding Area. You can enable APD by resetting the device to the out-of-
the-box state.
FactoryTalk System Services starts the Multicast DNS (mDNS) server.
Initially, a CIP Security-capable device sends a DNS-SD query to the DNS

server (if its address is entered in the device's network parameters) to discover
an EST server.
If no DNS server is configured or anything goes wrong, then the CIP Security-
capable device sends a mDNS request and waits for response from any mDNS
responder.
Once the EST server has been discovered then the device interacts with it to
request an identity and trust information.
The following issues can prevent devices from appearing in Onboarding Area:
• For some reason, a firewall is preventing communication to mDNS and/
or EST servers, therefore FactoryTalk System Services cannot respond to
requests.
To resolve this issue, you must add or modify the firewall rules to allow
the communication between the CIP Security-capable device and the
mDNS and/or EST servers.
The ports that must be enabled are:
- mDNS: UDP 5353
- EST: TCP 40014
If this issue exists in your application, we recommend that you use
resources available with the company that designed your firewall to
resolve the issue.
• If more than one network interface is used in the workstation, there are
two IP addresses used in the same workstation, one for each interface.
In this case, FactoryTalk System Services software can fail to identify,
and use, the correct IP addresses. That is, the EST server uses one IP
address. But the mDNS-SD functions as if the EST server is using the
other IP address.
As a result, the request for a certificate is not responded to, and the
device is not onboarded.
For more information, see the FactoryTalk Policy Manager Getting
Results Guide, publication FTALK-GR001.

Use Switch to Respond to mDNS-SD Requests
If the device is connected to a switch that knows the location of the server with
FactoryTalk System Services installed on it, you can set up the switch to
respond to the mDNS requests on behalf of the server with FactoryTalk System
Services.
In this case, the switch functions more like a proxy. When the device makes the
request for the EST server, the switch responds with the location of the EST
server.
However, you must configure the switch to respond with the location of the
EST server. If the switch is not properly configured, the device can’t obtain the
IP address of the EST server.
IMPORTANT Remember the following:

• If the server with FactoryTalk System Services installed on it is on the same
subnet as the device that is being onboarded, mDNS support is not required
in any switch.
• If the server with FactoryTalk System Services installed on it is on a
different subnet than the device that is being onboarded, your application
must use one of the following:
- External DNS-SD server
- Switch that can bridge mDNS over subnets

Automatic Policy Deployment Example
The following is an example of a system in which FactoryTalk System Services

and FactoryTalk Policy Manager are on different subnets.
The application requires an external DNS-SD server or a switch with

technology that bridges mDNS over subnets.
LEVEL 3.5-4
DMZ/IT
IDMZ
Network
Firewalls
Proxy servers
VLAN 5 FactoryTalk FactoryTalk Active Secure remote

Policy Manager AssetCentre OT core switch Directory access server
Maintenance Studio 5000 Logix Designer
Site opps FactoryTalk View Studio
LEVEL 3
laptop
network FactoryTalk Linx
VLAN 10 VLAN 20 VLAN 30 VLAN 40

Area
LEVEL 2
supervisory
network
DC INPUT
F1 F9
F2 F10
F3 F11
F4 F12
F5 F13
F6 F14
F7 F15
F8 F16
Controller
LEVEL 0-1
/sensor
network

Merging
Depending on the security model and the devices available in the network, the
merging process can be automatic or manual.
Automatic Merging
The merging process is automatic if the onboarding device has the same IP
address as the matching device in the security model.
The onboarding device does not need to be identical with the matching device
in the security model. During the merging process, the newer device
properties overwrite the older device properties.
IMPORTANT The following properties are never overwritten by the automatic merging
process:
• IP address
• Device name
• Device description
Manual Merging
The merging process is manual if the onboarding device can’t be associated

with any device in the security model.
An administrator can manually move the discovered device from the

Onboarding Area to the security model.

Disable Automatic Policy Deployment in a Device

There are two ways to disable APD:
• You can disable APD on a device.
When you disable APD on a device, it no longer sends out DNS-SD
queries to the server. This option only applies to one device, however.
• You can disable APD in FactoryTalk Policy Manager software.
When you disable APD in the software, you disable the EST services and
the queries from any APD-capable devices are not responded to.
Disable APD on a Device With FactoryTalk Policy Manager Software
To disable APD for a device with FactoryTalk Policy Manager software,

complete the following steps.
1. Move the device from the Discovery pane to the security model.
2. Deploy the security model.
3. Remove the device from the model.
4. When prompted, choose to disable the automatic discovery for this
device and click Delete.
5. Deploy the security model.

Disable APD on a Device With FactoryTalk Linx Software
You can use FactoryTalk Linx software, version 6.30.00 or later, to disable
Automatic Policy Deployment. However, to do so, you must disable CIP
Security completely for the device.
To disable APD for a device with FactoryTalk Linx software, version 6.30.00 or
later, complete the following steps.
1. Go to the Advanced Settings dialog box.
2. On the General tab, the check the Enable Device Configuration
check box.
3. Confirm that the Enable Device Configuration checkbox is enable and
click OK.

4. From the Device Configuration menu, complete the following steps.

b. Check the Disable CIP Security (Port 2221) checkbox.
c. Click Refresh.
IMPORTANT Once Automatic Policy Deployment is disabled, to re-enable it, you must
return the device to its factory default settings and, if necessary, update
the firmware to the required minimum revision or later.
Disable Automatic Policy Deployment in FactoryTalk Policy Manager

You can disable APD in FactoryTalk Policy Manager software after it’s been
enabled.
To disable APD in FactoryTalk Policy Manager software, you must check/

uncheck the boxes in the Automatic Policy Deployment section of FactoryTalk
Policy Manager software.
The Automatic Policy Deployment section is in the software’s global settings.

Firmware Revision Updates

Some components have a minimum required firmware revision to operate in
an IACS with CIP Security that is less than the minimum required firmware
revision to use Automatic Policy Deployment. You can update the firmware
revision to use Automatic Policy Deployment.
For example, if you can use a 1756-EN4TR ControlLogix EtherNet/IP
communication module, firmware revision 3.002, in an IACS with CIP
Security. You can replace the communication module with another of the same
firmware revision level, that is, revision 3.002. But the replacement
communication module does not support Automatic Policy Deployment.
In this example, for the replacement communication module to support
Automatic Policy Deployment, updates the communication module from
revision 3.002 to revision 4.001 or later.
Benefits of Automatic Policy Deployment

The following benefits exist with the APD
• Easier device replacement - Certificates are unique to each device. With
APD, once the replacement device receives the new certificate, it can
communicate securely with the server.
• Initial commissioning - When you set up a system, APD lets identity
distribution be more automated.
• Reduced risk for a device on the network - By using a staging area, the
trust-on-first-use (TOFU) window is shortened.

Add a New Device That There are two scenarios in which a device that supports APD is added to an
Supports Automatic Policy IACS with CIP Security implemented:
• New Device is Not in the Security Policy Model
Deployment • New Device is in the Security Policy Model
New Device is Not in the Security Policy Model

In this scenario, you add a device that wasn’t previously in the FactoryTalk
Policy Manager security policy model.
Figure 20 - Add a New Device When Device is Not in the Security Policy Model
Existing CIP Security System CIP Security System with Newly Device
Device To Be Added
1756-EN4TR
DC INPUT
MOD MOD MOD MOD MOD

NET NET NET NET NET
MOD MOD MOD MOD MOD
NET NET NET NET NET
2 2 2 2 2
2 2 2 2 2
1 1 1 1 1
1 1 1 1 1
1 6 1 6 1 6 1 6 1 6 1 6 1 6
4 1 6 1 6 1 6 1 6 1 6 1 6 1 6
I/O
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10
5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
-
MBRK
+ -
MBRK
+
DC INPUT
F1 F9
F1 F9
F2 F10
F2 F10
F3 F11
F3 F11
F4 F12
F4 F12
F5 F13
F5 F13
F6 F14
F6 F14
F7 F15
F7 F15
F8 F16
F8 F16
Complete the following steps.

1. Connect the 1756-EN4TR communication module to the network.
2. When the 1756-EN4TR communication module appears in the
Onboarding area of FactoryTalk Policy Manager software, merge the
1756-EN4TR communication module into the security policy model.
3. Deploy the updated security model as described in Deploy Security
Model on page 58.

New Device is in the Security Policy Model

In this scenario, you add a device that is in the FactoryTalk Policy Manager
security policy model but the policy wasn’t deployed to that device yet.
Figure 21 - Add a New Device When Device is in the Security Policy Model
Existing CIP Security System CIP Security System with New Device
Device To Be Added
1756-EN4TR
DC INPUT
MOD MOD MOD MOD MOD

NET NET NET NET NET
MOD MOD MOD MOD MOD
NET NET NET NET NET
2 2 2 2 2
2 2 2 2 2
1 1 1 1 1
1 1 1 1 1
1 6 1 6 1 6 1 6 1 6 1 6 1 6
4 1 6 1 6 1 6 1 6 1 6 1 6 1 6
I/O
4
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10
5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
-
MBRK
+ -
MBRK
+
DC INPUT
F1 F9
F1 F9
F2 F10
F2 F10
F3 F11
F3 F11
F4 F12
F4 F12
F5 F13
F5 F13
F6 F14
F6 F14
F7 F15
F7 F15
F8 F16
F8 F16

The communication module appears in the Onboarding area of
FactoryTalk Policy Manager software and is automatically merged into
the security model.
Model on page 58.

Replace a Device That There are two scenarios in which a device that supports APD replaces a device:
Supports Automatic Policy • Replacement Device is Not Identical to the Existing Device
Deployment • Replacement Device is Identical to the Existing Device
Replacement Device is Not Identical to the Existing Device

In this scenario, you replace a device that is in the FactoryTalk Policy Manager
security policy model and has the same IP address. However, the replacement
device isn’t the same as the existing device.
IMPORTANT When you replace a device with another device that uses the same IP
address, the new device’s properties overwrite the existing device’s
properties.
Figure 22 shows an example in which the PowerFlex 755T drive with IP address
192.168.1.10 is replaced by a 1756-EN4TR communication module with the same
IP address.
Figure 22 - Replace a Device With a New Device That Only Uses the Same IP Address Only
Existing CIP Security System CIP Security System with Replacement Device
Replacement Device
1756-EN4TR
DC INPUT
MOD
NET
MOD
NET
MOD
NET
MOD
NET
MOD
NET
1756-EN4TR DC INPUT MOD

NET
MOD
NET
MOD
NET
MOD
NET
MOD
NET
2 2 2 2 2
2 2 2 2 2
1 1 1 1 1
1 1 1 1 1
1 6 1 6 1 6 1 6 1 6 1 6 1 6
1 6 1 6 1 6 1 6 1 6 1 6 1 6 4
4 I/O
I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10
5 10 5 10 5 10 5 10 5 10 5 10 5 10
IP Address - 192.168.1.10
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
D+ D+ D+ D+ D+ D+
D- D- D- D- D- D-
-
MBRK
- +
MBRK
+
PowerFlex DC INPUT
DC INPUT
755T Drive
F1 F9
F1 F9
F2 F10
F2 F10
F3 F11
F3 F11
F4 F12
F4 F12
IP Address -
F5 F13
F5 F13
F6 F14
F6 F14
F7 F15
F7 F15
F8 F16
F8 F16
192.168.1.10

1. Disconnect the PowerFlex 755T drive from the network.
the security model.
You can access the Onboarding area via the following in FactoryTalk
Policy Manager:
• Canvas tab - When devices are set up, they automatically appear in the
Canvas tab.
• Devices tab and finding the device
Model on page 58.

Replacement Device is Identical to the Existing Device

In this scenario, you replace a device that is in the FactoryTalk Policy Manager
security policy model. The replacement device is identical to the existing
device. That is, the following properties match between the devices:
• IP address
• Vendor
• Product type
• Product code
IMPORTANT This process is known as Secured Device Replacement.
Figure 23 shows an example in which a 1756-EN4TR communication module is

replaced by a 1756-EN4TR communication module with the same properties.
Figure 23 - Replace a Device With An Identical Device
Existing CIP Security System CIP Security System with New Device
Replacement Device
1756-EN4TR
DC INPUT
2 2 2 2 2 2 2 2 2 2
1 1 1 1 1 1 1 1 1 1
1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6 1 6
4 4
I/O I/O
5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10 5 10
D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+ D+
D- D- D- D- D- D- D- D- D- D- D- D-
- -
MBRK MBRK
+ +
DC INPUT DC INPUT
F1 F9 F1 F9
F2 F10 F2 F10
F3 F11 F3 F11
F4 F12 F4 F12
F5 F13 F5 F13
F6 F14 F6 F14
F7 F15 F7 F15
F8 F16 F8 F16
1756-EN4TR 1756-EN4TR
Communication Module Communication Module

1. Disconnect the 1756-EN4TR communication module from the network.
2. Connect the replacement 1756-EN4TR communication module to the
network.
the security model.
The security policy is automatically deployed to the new communication

module using APD.

Devices That Do Not Support Table 20 lists CIP Security-capable devices that do not support APD.
Automatic Policy Table 20 - CIP Security-capable Devices That Do Not Support APD
Deployment Software or Component Software Version Firmware Revision
FactoryTalk® Policy Manager —
FactoryTalk System Services 6.21 or later —
FactoryTalk Linx —
ControlLogix® 5580 Controllers — 33.xxx or earlier
Armor™ PowerFlex Drives — 10.001
Kinetix® 5300 Drives — 13.003
Kinetix 5700 Drives — 11.001
PowerFlex 755T Drives — 10.001
PowerFlex 755TS Drives — 11.001
Add a Device That Does Not Support APD to an Existing CIP

Security System
Complete the following steps to add a CIP Security-capable device that does
not support APD to an existing CIP Security system.
1. Connect the device to the network.
2. In FactoryTalk Policy Manager software, add devices to the zone. You can
add devices in the following ways:
• Discover devices via FactoryTalk Linx.
• Manually add devices from the catalog.

Model on page 58.

Replace a Secured Device That Does Not Support APD in an

Existing System
When you replace a CIP Security-enabled device that does not support APD, it
can’t function in a secured IACS as before without a policy redeployment.
IMPORTANT This restriction does not apply when you use a 1783-CSP Proxy to connect a
proxied device to an IACS that uses CIP Security.
If you replace a proxied device that is connected to a 1783-CSP Proxy with
an identical device, that is, same device type, catalog number, firmware
revision, and IP address, you aren’t required to redeploy the security
model.
For more information on how to use a 1783-CSP Proxy in an IACS that has
CIP Security implemented, see the CIP Security Proxy User Manual,
publication 1783-UM013.
Complete the following steps to replace a CIP Security-enabled device that

does not support APD.

1. Disconnect the original device from the network.
2. Connect the new device to the network.
3. In FactoryTalk Policy Manager software, select a particular device and
click Replace Device.
4. When the following dialog box appears, choose when to reset device
communication on ports included in the model, and click Deploy.

Appendix A
CIP Security Compatibility
This section describes the software and the devices that you can use in an IACS
with CIP Security™ implemented. The devices that are listed in the section can
be connected directly to the IACS or via a CIP™ Security-capable device, for
example, a 1756-EN4TR EtherNet/IP™ communication module or a 1783-CSP
CIP Security Proxy.
Software Table 21 lists the software that is used to implement CIP Security.
Table 21 - Software That Is Used to Implement CIP Security
Software Version Required
FactoryTalk® Policy Manager 6.11 or later Yes
FactoryTalk System Services 6.11 or later Yes
FactoryTalk Linx 6.11 or later Yes
Not required but commonly
Studio 5000 Logix Designer® 31.00.00 or later
used with CIP Security.
Logix Controllers Table 22 lists how Logix controllers can, and can’t, be used with CIP Security.
Table 22 - Logix Controllers With CIP Security
RSLogix 5000® Studio 5000 Logix Designer®
Controller
V16 V17 V18 V19 V20 V21 V23 V24 V26 V27 V28 V29 V30 V31 V32 V33 V34
CIP Security is
supported by using
either of the CIP Security is supported by using one of the
following: following:
ControlLogix® 5580 • A 1756-EN4TR • The controller Ethernet port.
controllers NA No support for CIP Security communication • A 1756-EN4TR communication module in the
module in the same chassis.
same chassis. • A CIP Security Proxy.(1)
• A CIP Security
Proxy.(1)
CIP Security is supported by using either of the following:
ControlLogix 5570 • A 1756-EN4TR communication module in the same chassis.
NA No support for CIP Security
controllers
• A CIP Security Proxy.(1)
ControlLogix 5560
No support for CIP Security NA
controllers
No
ControlLogix 5550 support
NA
controllers for CIP
Security
CIP Security is supported
by using one of the
following:
CIP Security is supported by using either
of the following: • The controller Ethernet
GuardLogix® 5580 • A 1756-EN4TR communication module port.
NA • A 1756-EN4TR
controllers in the same chassis.
communication
• A CIP Security Proxy.(1) module in the same
chassis.
CIP Security is supported by using either of the following:
GuardLogix 5570 • A 1756-EN4TR communication module in the same chassis.
controllers
GuardLogix 5560
controllers

Appendix A CIP Security Compatibility
Table 22 - Logix Controllers With CIP Security

RSLogix 5000® Studio 5000 Logix Designer®
Controller
by using one of the
CompactLogix™ 5380 CIP Security is supported by using a CIP following:
NA No support for CIP Security • Either controller
controllers Security Proxy. (1)
Ethernet port.
CompactLogix 5370
controllers
NA No support for CIP Security CIP Security is supported by using a CIP Security Proxy. (1)
by using one of the
Compact CIP Security is supported by using a CIP following:
GuardLogix SIL 2 NA • Either controller
5380 controllers Security Proxy. (1)
Ethernet port.
CIP Security is by using one of the
Compact supported by using following:
GuardLogix SIL 3 NA a CIP Security • Either controller
5380 controllers Ethernet port.
Proxy.(1)
Compact
GuardLogix 5370 NA No support for CIP Security CIP Security is supported by using a CIP Security Proxy.(1)
controllers
CompactLogix 5480
controllers
1768 CompactLogix
controllers
1768 Compact
GuardLogix NA No support for CIP Security NA
controllers
1769 CompactLogix
controllers
No
FlexLogix™ L34 support NA
controllers for CIP
Security
DriveLogix™ 5370 No support for CIP
NA
controllers Security
SoftLogix™ 5800
controllers
(1) IMPORTANT: This is only for workstation programming, upload/download, and data collection, not for I/O.
For more information, see the CIP Security Proxy User Manual, publication 1783-UM013.

ControlLogix 5580 and 5570 Table 23 lists how ControlLogix 5570 and 5580 controller redundancy can be
Controller Redundancy used with CIP Security.
Table 23 - ControlLogix 5580 and 5570 Controller Redundancy With a CIP Security System
RSLogix 5000 Studio 5000 Logix Designer
Device
CIP Security is supported by
CIP Security is using one of the following:
supported by • A single CIP Security
using a single CIP Proxy through an
Security Proxy Ethernet switch to
ControlLogix through an 1756-EN2x EtherNet/IP
5580 NA Ethernet switch communication modules
Redundancy to 1756-EN2x in a redundant chassis
communication pair. (1)
modules in a • A pair of 1756-EN4TR
redundant communication modules,
chassis pair. (1) firmware revision 4.001
or later. (2)
ControlLogix CIP Security is supported by using a single CIP Security Proxy through
5570 NA No support for CIP Security an Ethernet switch to 1756-EN2x EtherNet/IP communication modules
Redundancy in a redundant chassis pair.(1)
For more information, see the CIP Security Proxy User Manual, publication 1783-UM013.
For more information, see the High Availability Systems Reference Manual, publication HIGHAV-RM002.
Other Devices Table 24 lists other devices that you can use with CIP Security.
Table 24 - Other Devices Used With a CIP Security System
Device Firmware Revision
1756-EN4TR EtherNet/IP communication module Any
Armor™ PowerFlex® drives 10.001 or later
Kinetix® 5300 drives 13.003 or later
Kinetix 5700 drives 11.001 or later
PowerFlex® 755T drives 10.001 or later
PowerFlex 755TS drives 11.001 or later
1783-CSP CIP Security Proxy Any
For information on the devices that have been
Proxied devices that have been tested with the 1783- tested with a CIP Security Proxy and can be used in
CSP CIP Security Proxy a system with CIP Security implemented, see the CIP
Security Proxy User Manual, publication 1783-UM013.

Notes:

Appendix B
History of Changes
This section contains the new or updated information for each revision of this
publication. These lists include substantive updates only and are not intended
to reflect all changes. Translated versions are not always available for each
revision.
SECURE-AT001B-EN-P, This revision:

August 2021 • Added information about the following products that you can use with
CIP Security
- 1783-CSP CIP Security Proxy
- Kinetix 5300 drives
- PowerFlex® 755T drives
• Description of how to migrate an application from using FactoryTalk
Policy Manager, version 6.11, to FactoryTalk Policy Manager, version 6.20
• Updated the description of Studio 5000 Logix Designer application
• Updated the description of ControlLogix® 5580 controllers
• Added a description of an initial security model deployment failure if a
ControlLogix 5580 controller is in Run Mode
• Added a description of conditions in which you cannot download to a
ControlLogix 5580 controller from an unsecure workstation
• Added a PowerFlex 755T drive to the CIP Bridging graphic
• Updated the description of the Replace Device limitation
• Added a description of the different security model deployment types
• Updated the description of how to back up the security model
• Added a description of how to restore FactoryTalk System Services
• Added a description of how to replace a CIP Security-enabled device
• Updated graphics to show a 1783-CSP CIP Security Proxy

Appendix B History of Changes
Notes:

Index
Numerics connections
I/O 41
1783-CSP CIP Security Proxy secure programming connection
description 20 CompactLogix 5370 controllers 34
ControlLogix 5570 or 5580 redundant
controllers 32
A controllers
Armor PowerFlex drives 19 Compact GuardLogix 5380 19
attack types CompactLogix 5380 19
denial of service 10 ControlLogix 5580 19, 20
man-in-the-middle 10 GuardLogix 5580 20
monitor data 10 ControlLogix 5580 controllers
automatic device configuration 41 description 19, 20
automatic policy deployment 89 - 100 ControlLogix EtherNet/IP communication
disable 97 - 99 module (1756-EN4TR)
enable 90 description 20
countermeasures
data confidentiality 13
B data integrity and authentication 13
back up device identity and authentication 13
FactoryTalk Directory 62
security model 62 D
data confidentiality
C description 16
certificates 14 data integrity and authentication
CIP bridging 36 description 16
defense-in-depth architecture 12
CIP bridging control 38 - 40
CIP Security components 23 - 25 denial-of-service attack 10
conduits 25 deploy
devices 23 no deploy to controller in run mode 30
zones 24 security model 58 - 61
CIP Security properties device
data confidentiality 16 add 101, 105
data integrity and authentication 16 replace 103, 104, 106
device identity and authentication 16 device identity and authentication 14
CIP Security-capable certificates 14
hardware 19 description 16
1783-CSP CIP Security Proxy 20 pre-shared keys 14
Armor PowerFlex drives 19 disable CIP Security 41
Compact GuardLogix 5380 controllers 19 drives
CompactLogix 5380 controllers 19 Armor PowerFlex 19
ControlLogix 5580 controllers 19, 20 automatic device configuration 41
ControlLogix EtherNet/IP communication Kinetix 5300 20
module (1756-EN4TR) 20 Kinetix 5700 20
GuardLogix 5580 controllers 20 PowerFlex 755T 20
Kinetix 5300 drives 20 PowerFlex 755T drives
Kinetix 5700 drives 20 set mask parameters 72 - 74
PowerFlex 755T drives 20 Dual-IP mode 28 - 29
PowerFlex 755TS drives 20
software 17
FactoryTalk Linx 18 E
FactoryTalk Policy Manager 18
FactoryTalk System Services 18 events
Studio 5000 Logix Designer 18 use with syslog 75 - 77
Compact GuardLogix 5380 controllers 19
CompactLogix 5380 controllers 19
conduits 25, 49 - 56
F
configure 55 FactoryTalk Administration Console
create 50 - 54 remove security configuration from
security matrix 81 FactoryTalk Linx 66
security policy properties 27

Index
FactoryTalk Directory PowerFlex 755TS drives

back up 62 description 20
FactoryTalk Linx pre-shared keys 14
description 18
disable CIP Security 41
FactoryTalk Policy Manager R
description 18 remove security policy
remove security policy from a device 64 - 71 from a device 68 - 71
FactoryTalk System Services from a software application 64 - 67
back up 62 restore
description 18 FactoryTalk System Services 63
restore 63 risk assessment 11
firmware revision updates 100
RSLinx Classic software 42
G S
GuardLogix 5580 controllers
secure eventing 75
description 20
security assessment
conduct threat assessment 11
I perform risk assessment 11
perform vulnerability assessment 11
I/O connections 41 security matrix
conduits 81
zones and devices 46, 80
K security model
Kinetix 5300 drives back up 62
description 20 deploy 58 - 61
Kinetix 5700 drives security policy
description 20 remove from a device 64 - 71
security policy properties
conduits 27
L zones 26
legacy devices software
add to security model 42 CIP Security-capable 17
limitations FactoryTalk Linx 18
CIP bridging 36 disable CIP security 41
Dual-IP mode 28 - 29 FactoryTalk Policy Manager 18
I/O connections 41 FactoryTalk System Services 18
no connection between workstation and restore 63
controller 31 RSLinx Classic 42
no deployment to controller in run mode 30 Studio 5000 Logix Designer 18
no download from unsecure workstation 30 Studio 5000 Logix Designer
using network address translation 34 description 18
Syslog 75 - 77
collector 75
M fault codes 76
man-in-the-middle attack 10 secure eventing 75
severity levels 76
mask parameters
set on PowerFlex 755T drives 72 - 74
monitor data attack 10 T
threat assessment 11
N
network address translations V
limitations with CIP Security 34 vulnerability assessment 11
P Z
Policy provisioning 36
zones 24, 45 - 48
PowerFlex 755T drives
configure 48
description 20 create 46
set mask parameters 72 - 74 security matrix 46
security policy properties 26

CIP Security with Rockwell Automation Products Application Technique

Rockwell Automation Support
Use these resources to access support information.
Technical Support Center Find help with how-to videos, FAQs, chat, user forums, and product notification updates. rok.auto/support
Knowledgebase Access Knowledgebase articles. rok.auto/knowledgebase
Local Technical Support Phone Numbers Locate the telephone number for your country. rok.auto/phonesupport
Literature Library Find installation instructions, manuals, brochures, and technical data publications. rok.auto/literature
Product Compatibility and Download Center Download firmware, associated files (such as AOP, EDS, and DTM), and access product release rok.auto/pcdc
(PCDC) notes.
Documentation Feedback
Your comments help us serve your documentation needs better. If you have any suggestions on how to improve our
content, complete the form at rok.auto/docfeedback.
Waste Electrical and Electronic Equipment (WEEE)
At the end of life, this equipment should be collected separately from any unsorted municipal waste.
Rockwell Automation maintains current product environmental compliance information on its website at rok.auto/pec.
Allen-Bradley, Armor, Compact 5000, CompactLogix, Connected Components Workbench, ControlLogix, DPI, expanding human possibility, FactoryTalk, FactoryTalk Network Manager, FLEX 5000,
GuardLogix, Kinetix, Logix 5000, On-Machine, POINT I/O, PowerFlex, PanelView, Rockwell Automation, RSLinx, Stratix, Studio 5000, Studio 5000 Logix Designer, and TotalFORCE are trademarks of Rockwell
Automation, Inc.
CIP, CIP Security, and EtherNet/IP is a trademark of ODVA, Inc.
Windows is a trademark of Microsoft Corporation.
Trademarks not belonging to Rockwell Automation are property of their respective companies.
Rockwell Otomasyon Ticaret A.Ş. Kar Plaza İş Merkezi E Blok Kat:6 34752, İçerenköy, İstanbul, Tel: +90 (216) 5698400 EEE Yönetmeliğine Uygundur
Publication SECURE-AT001C-EN-P - August 2022

Supersedes Publication SECURE-AT001B-EN-P - August 2021 Copyright © 2022 Rockwell Automation, Inc. All rights reserved. Printed in the U.S.A.

Secure At001 - en P

Uploaded by

Secure At001 - en P

Uploaded by

CIP Security with Rockwell

Application Technique Original Instructions

Important User Information

The following icon may appear in the text of this document.

2 Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022

Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022 3

Secure the Programming Connection to the

4 Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022

Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022 5

6 Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022

This manual explains how to implement the Common Industrial Protocol

Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022 7

You can view or download publications at rok.auto/literature.

8 Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022

Industrial Security Overview

This section provides an overview of CIP Security™.

As EtherNet/IP™ becomes a growing standard, evolving these isolated IACS

Security Threats As IACS networks transition to open standards of Ethernet-media and

Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022 9

Insecure communication protocols can be exploited to make data accessible

DoS An attacker executes a DoS attack that

LNK1 LNK2 NET OK

The attacker eavesdrops on data in transit

LNK1 LNK2 NET OK

The attacker monitors or views sensitive or

LNK1 LNK2 NET OK

10 Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022

There are three steps to perform a security assessment.

Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022 11

The following are key tenets of the DiD security approach:

12 Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022

Recognizing the need for CIP-connected device protection, ODVA developed

Positioned at the device-level in the DiD architecture, CIP Security enables

Optionally, to increase the overall device security posture, it can be combined

CIP Security is positioned at

Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022 13

14 Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022

Secure Data Transport

TLS provides the following security properties:

Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022 15

Table 3 describes how secure data transport enables a CIP-connected device to

Method of providing secure identity for a device. The

LNK1 LNK2 NET OK

Method of providing data integrity and message

LNK1 LNK2 NET OK

Means of using encryption to encode messages or

LNK1 LNK2 NET OK

16 Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022

CIP Security-capable Rockwell

CIP Security Software Applications

Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022 17

Table 4 - CIP Security Software

18 Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022

CIP Security-capable Hardware Devices

Table 5 - CIP Security Hardware

Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022 19

Table 5 - CIP Security Hardware

Use Non-CIP Security-capable Controllers with CIP Security

For more information on how to do so, see Appendix A, CIP Security

20 Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022

Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022 21

Security Profile and Attributes

The Device Identity/Authentication attribute must be enabled before the

Rockwell Automation CIP Security-capable products support the following

Represents a CIP Security connection to a device.

Represents a trusted, but not secure, connection to a device.

22 Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022

CIP Security Components

Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022 23

MOD MOD MOD MOD MOD

1 I/O I/O-A I/O-B I/O-A I/O-B I/O-A I/O-B

MF-A MF-B MF-A MF-B MF-A MF-B

24 Rockwell Automation Publication SECURE-AT001C-EN-P - August 2022

Conduits create trusted communication pathways outside of zones. You must

Conduits facilitate secure communication in the following ways:

IMPORTANT Currently, a device can’t use multiple pre-shared keys.