EtherNet/IP - CIP-based industrial Ethernet protocol. Security and segmentation

EtherNet/IP is one of the most widely deployed industrial communication protocols in the world. The “IP” in the name does not refer to Internet Protocol but stands for “Industrial Protocol” - which accurately reflects the designers’ intention: to bring the proven CIP (Common Industrial Protocol) communication model to standard Ethernet and TCP/IP infrastructure. The protocol is a pillar of the Rockwell Automation / Allen-Bradley ecosystem, but is also supported by manufacturers such as Omron, Molex, and Schneider Electric.

This article covers EtherNet/IP architecture, technical parameters relevant to security, the CIP Security mechanism, and practical recommendations for segmenting OT networks where this protocol is present.

Architecture and communication model

EtherNet/IP is based on the CIP protocol - the same one used by DeviceNet and ControlNet networks. CIP defines a common object model for devices (controllers, drives, I/O modules) and a uniform set of services (read attribute, write, reset). This means a programmer working with an Allen-Bradley PLC sees the same objects regardless of the transport layer.

EtherNet/IP communication uses two channels:

• Explicit messaging (TCP, port 44818) - request/response communication used for configuration, diagnostics, and non-time-critical data transfer. A TCP session is established with a RegisterSession command.
• Implicit messaging (UDP, port 2222) - cyclic producer-consumer communication used for real-time I/O data exchange. Data is sent as multicast or unicast UDP frames at a set interval (typically 1-100 ms).

Technical parameters

Parameter	Value
OSI model layer	4-7 (TCP/IP + CIP)
Port - configuration	TCP 44818
Port - I/O data	UDP 2222
Encapsulation	CIP over TCP/UDP (EtherNet/IP Encapsulation)
Authentication (native)	None - CIP does not require authentication
Encryption (native)	None
Authentication (CIP Security)	TLS 1.2+ / DTLS 1.2+ with X.509 certificates
Encryption (CIP Security)	AES-128/256-GCM
Primary ecosystem	Rockwell Automation / Allen-Bradley
Standards organization	ODVA (Open DeviceNet Vendors Association)

Security assessment

In its basic form, EtherNet/IP provides no security mechanisms. A TCP session on port 44818 can be established by any network device without authentication. Once the session is established, it is possible to read and write CIP object attributes - including changing PLC operating parameters, forcing output values, or resetting devices.

Implicit messaging on UDP port 2222 is even more exposed - UDP frames do not even require session establishment. An attacker with access to the network segment can inject I/O frames impersonating a controller or I/O module.

CIP Security - security extension

ODVA published the CIP Security specification as an extension to the CIP protocol. The mechanism relies on:

• TLS 1.2+ for explicit messaging (TCP) - encryption and authentication of configuration sessions
• DTLS 1.2+ for implicit messaging (UDP) - encryption and authentication of I/O data
• X.509 certificates - mutual device authentication (device identity)
• Pre-shared keys (PSK) - an alternative to certificates for simpler deployments

CIP Security is available in newer Rockwell controllers (ControlLogix 5580, CompactLogix 5480) and selected I/O modules. Deployment requires PKI infrastructure or manual certificate management.

Network segmentation with EtherNet/IP

Since EtherNet/IP operates on the standard TCP/IP stack, segmentation is simpler than for Layer 2 protocols (PROFINET, EtherCAT). Firewalls and ACLs can filter traffic based on ports and IP addresses.

Practical recommendations

1. Dedicated zone for EtherNet/IP devices - PLCs, I/O modules, and HMI panels communicating via EtherNet/IP should be in a separate VLAN with a firewall at the boundary.

2. Port filtering on the firewall - allow TCP 44818 and UDP 2222 only between known IP addresses. Block EtherNet/IP traffic to/from the corporate IT network.

3. Block multicast at zone boundaries - implicit messaging may use multicast addresses (default 239.192.1.0/24). Ensure multicast does not cross OT zone boundaries.

4. TCP 44818 access control - this is the main configuration vector. Only engineering stations from authorized segments should have access.

5. Anomaly monitoring - IDS/IPS systems with CIP protocol support (e.g. Claroty, Nozomi Networks, Dragos) can detect unauthorized CIP operations - such as tag writes, PLC mode changes, or device resets.

6. Deploy CIP Security where possible - in new installations with Rockwell 5580/5480 series controllers, it is worth activating CIP Security as an additional layer of protection.

More on designing zones and conduits in OT environments in the article OT network segmentation - how to protect industrial systems.

Summary

EtherNet/IP is a mature, widely deployed protocol that - in its basic form - lacks security mechanisms. It operates on the standard TCP/IP stack, which facilitates both integration and potential attack. CIP Security represents a significant step forward but requires modern hardware and certificate infrastructure. Regardless of the protocol version, network segmentation remains the fundamental protection mechanism.

Open source tools

Tool	Language	Description	Link
pycomm3	Python	Communication with Allen-Bradley PLCs (ControlLogix, CompactLogix) - tag read/write	GitHub
cpppo	Python	EtherNet/IP and CIP implementation - server/client for simulation and testing	GitHub
EIPScanner	C++	EtherNet/IP library for scanning and communicating with CIP devices	GitHub

Sources

• ODVA - EtherNet/IP Technology Overview - official ODVA documentation
• ODVA - CIP Security - security extension specification
• CISA - ICS-CERT Advisories for Rockwell Automation - security advisories for Rockwell products
• Rockwell Automation - Converged Plantwide Ethernet (CPwE) - Cisco/Rockwell reference architecture
• pycomm3 - GitHub - Python library for EtherNet/IP communication