Walk into any modern manufacturing facility, power plant, or industrial operation, and you’ll find networks running protocols that were never designed with security in mind. EtherNet/IP, CIP (Common Industrial Protocol), and GE SRTP (Service Request Transport Protocol) form the backbone of industrial automation, moving critical control data between PLCs, HMIs, and SCADA systems.

These protocols were created when operational technology networks were truly air-gapped and security meant keeping unauthorized people out of the building. Today, as OT networks become increasingly connected to corporate IT and cloud systems, understanding the security implications of these industrial protocols isn’t just important – it’s critical for protecting both operations and safety.

After working with organizations to secure industrial networks running these protocols, we’ve learned what security professionals need to know about how they work, where they’re vulnerable, and how to protect them without breaking operations.

EtherNet/IP: Ethernet for Industrial Automation

Protocol Architecture

EtherNet/IP (Ethernet Industrial Protocol) isn’t actually Ethernet – it’s an industrial communication protocol that runs over standard Ethernet networks. It’s the most widely deployed industrial Ethernet protocol globally, used by Allen-Bradley, Rockwell Automation, and hundreds of other industrial equipment manufacturers.

EtherNet/IP stack:

  • Physical Layer: Standard Ethernet (IEEE 802.3)
  • Network Layer: Standard TCP/IP
  • Transport Layer: TCP for explicit messaging, UDP for implicit messaging
  • Session Layer: Common Industrial Protocol (CIP)
  • Application Layer: Device profiles and object modeling

Key characteristics:

  • Uses standard TCP ports 44818 (TCP) and 2222 (UDP)
  • Supports both real-time I/O data and configuration messaging
  • Backward compatible with older industrial protocols through encapsulation
  • Can coexist with standard IT network traffic

Security Implications

EtherNet/IP has no built-in security features:

  • No authentication: Any device can participate in communications
  • No encryption: All data transmitted in clear text
  • No integrity checking: No protection against message modification
  • No access control: No mechanism to restrict which devices can communicate

Common attack vectors:

  • Man-in-the-middle attacks: Intercepting and modifying control commands
  • Replay attacks: Capturing and replaying legitimate control messages
  • Denial of service: Flooding networks with malformed or excessive messages
  • Device impersonation: Malicious devices joining networks and issuing commands

Real-world example: An attacker with network access could monitor EtherNet/IP traffic to learn normal operational patterns, then inject commands to modify setpoints, disable safety systems, or cause equipment malfunctions – all without authentication or detection.

CIP: The Common Industrial Protocol

Protocol Foundation

CIP (Common Industrial Protocol) provides the upper-layer communication services for several industrial networks, including EtherNet/IP, DeviceNet, and ControlNet. It’s an object-oriented protocol that standardizes how industrial devices communicate about their capabilities, configuration, and status.

CIP object model:

  • Device objects representing physical or logical entities
  • Class objects defining common attributes and services
  • Instance objects representing specific implementations
  • Assembly objects grouping related data for efficient transfer

CIP services:

  • Explicit messaging for configuration and diagnostics (typically TCP)
  • Implicit messaging for real-time I/O data (typically UDP)
  • Object modeling for device capabilities and configuration
  • Electronic data sheets for device integration and configuration

CIP Security Concerns

CIP inherits and amplifies EtherNet/IP security weaknesses:

  • Object manipulation: Attackers can modify device objects to change behavior
  • Service exploitation: Unprotected services can be called to disrupt operations
  • Configuration tampering: Device configurations can be modified without authentication
  • Information disclosure: Device capabilities and status exposed without access control

Specific CIP vulnerabilities:

  • Assembly object manipulation: Critical I/O data can be intercepted and modified
  • Identity object exploitation: Device information can be gathered for reconnaissance
  • Connection hijacking: Existing communication sessions can be taken over
  • Firmware manipulation: Some CIP implementations allow firmware updates without proper authentication

Attack scenario: An attacker could use CIP services to enumerate all devices on an industrial network, identify their configurations and capabilities, then modify critical assembly objects to alter I/O data flowing between controllers and field devices.

GE SRTP: Service Request Transport Protocol

Protocol Overview

GE SRTP (Service Request Transport Protocol) is General Electric’s proprietary protocol used in their industrial automation systems, including the RX3i, RX7i, and 90-30 series PLCs. While less common than EtherNet/IP, SRTP is widely deployed in GE-based industrial systems.

SRTP characteristics:

  • Proprietary protocol with limited public documentation
  • TCP-based communication typically on port 18245
  • Request-response model for client-server communications
  • Support for multiple data types including discrete, analog, and string data

SRTP functions:

  • Reading and writing PLC memory locations
  • Program upload and download
  • Online monitoring and diagnostics
  • Historical data collection and trending

SRTP Security Challenges

SRTP shares common industrial protocol security weaknesses:

  • No built-in authentication: Any client can connect and issue commands
  • Clear-text communication: All data transmitted without encryption
  • Limited access control: No mechanism to restrict operations based on user or device identity
  • Proprietary format: Security analysis complicated by limited documentation

SRTP-specific concerns:

  • Direct memory access: Protocol allows reading and writing arbitrary PLC memory locations
  • Program manipulation: Unauthorized program changes can be made without authentication
  • Diagnostic exploitation: Diagnostic functions can be used to gather intelligence about operations
  • Session hijacking: Existing connections can be intercepted and controlled

Security implications: SRTP’s direct memory access capabilities mean that successful attacks can have immediate and severe operational consequences, including equipment damage and safety system bypasses.

Practical Security Approaches

Network Segmentation and Access Control

The foundation of industrial protocol security is proper network architecture:

Network segmentation strategies:

  • DMZ networks between IT and OT environments with controlled access points
  • VLAN isolation separating different operational zones and functions
  • Firewall rules specifically configured for industrial protocol traffic patterns
  • Jump boxes for controlled administrative access to OT networks

Access control implementation:

  • Protocol-aware firewalls that understand EtherNet/IP, CIP, and SRTP message structures
  • Deep packet inspection for industrial protocols to detect anomalous communications
  • Connection whitelisting allowing only authorized device-to-device communications
  • Time-based access controls limiting communications to operational windows

Monitoring and Detection

Since industrial protocols lack built-in security, external monitoring becomes critical:

Protocol monitoring capabilities:

  • Baseline establishment of normal communication patterns and data flows
  • Anomaly detection for unusual commands, data values, or communication patterns
  • Asset discovery identifying all devices communicating on industrial protocols
  • Configuration monitoring detecting unauthorized changes to device configurations

Detection strategies:

  • Command analysis: Monitoring for unauthorized write commands or configuration changes
  • Data validation: Checking control data against expected operational parameters
  • Timing analysis: Detecting unusual communication timing or frequency patterns
  • Device behavior monitoring: Identifying devices exhibiting unexpected protocol behavior

Compensating Controls

When protocol-level security isn’t available, implement compensating controls:

Authentication alternatives:

  • Certificate-based device authentication at the network layer
  • VPN tunneling for industrial protocol communications over untrusted networks
  • Application-layer authentication where supported by industrial devices
  • Physical security controls for network infrastructure and device access

Data protection measures:

  • Network encryption using VPNs or other tunneling technologies
  • Message authentication codes where supported by industrial equipment
  • Data diodes for one-way data flows from OT to IT environments
  • Integrity monitoring to detect unauthorized data modifications

Implementation Considerations

Operational Impact Assessment

Security controls must be compatible with operational requirements:

Performance considerations:

  • Latency requirements for real-time control communications
  • Bandwidth limitations in industrial network infrastructure
  • Deterministic behavior requirements for safety-critical systems
  • Availability requirements that may preclude certain security measures

Change management integration:

  • Maintenance window coordination for security control implementation
  • Testing procedures to verify operational compatibility
  • Rollback planning for security measures that impact operations
  • Documentation updates reflecting security control implementations

Vendor Coordination

Industrial protocol security often requires vendor involvement:

Vendor engagement strategies:

  • Security capability assessment of current and planned industrial equipment
  • Roadmap discussions for security enhancements in future product releases
  • Support requirements for security monitoring and incident response
  • Configuration guidance for optimal security within operational constraints

Procurement considerations:

  • Security requirements in new equipment specifications
  • Lifecycle planning for equipment with limited security capabilities
  • Support contracts that include security-related assistance
  • Training requirements for secure operation and maintenance

Common Implementation Mistakes

Assuming Air-Gap Protection

The mistake: Believing that industrial networks are isolated and therefore secure. Reality: Most OT networks have direct or indirect connections to corporate networks and internet-connected systems.

Ignoring Legacy Equipment

The mistake: Focusing security efforts only on new equipment while ignoring legacy systems. Reality: Attackers often target the weakest links, which are frequently older industrial systems with no security capabilities.

Over-Engineering Solutions

The mistake: Implementing complex security solutions that interfere with operations. Reality: Industrial environments require security solutions that work reliably within operational constraints.

Treating All Protocols the Same

The mistake: Using generic network security approaches without understanding industrial protocol specifics. Reality: Effective industrial protocol security requires understanding of protocol behaviors and operational patterns.

Regulatory and Compliance Considerations

Industry Standards

Several standards address industrial protocol security:

  • ISA/IEC 62443: Industrial communication networks cybersecurity
  • NIST Cybersecurity Framework: Risk-based cybersecurity approach
  • NERC CIP: North American electric reliability standards
  • ISO 27001/27002: Information security management systems

Compliance Requirements

Different industries have specific requirements:

  • Electric utilities: NERC CIP requirements for critical cyber assets
  • Chemical facilities: CFATS requirements for high-risk chemical facilities
  • Water systems: America’s Water Infrastructure Act cybersecurity requirements
  • Manufacturing: Various industry-specific security standards and regulations

Future Protocol Security Evolution

Security Enhancements

Industrial protocol security is evolving:

  • Built-in authentication and encryption in newer protocol versions
  • Certificate-based security for device and user authentication
  • Secure key management systems for industrial environments
  • Protocol-aware security appliances designed for industrial applications

Industrial protocols are integrating with modern security architectures:

  • Cloud connectivity with secure communication channels
  • Identity and access management integration for industrial systems
  • SIEM integration for industrial protocol monitoring and analysis
  • Zero-trust architectures adapted for industrial environments

The Bottom Line

EtherNet/IP, CIP, and GE SRTP represent the reality of industrial communication: protocols designed for operational efficiency and reliability, not security. Understanding their capabilities and limitations is essential for building effective OT security programs.

The key to success is implementing layered security controls that protect these protocols without interfering with critical operations. This requires deep understanding of both the protocols and the operational environments where they’re deployed.

What’s Next?

Start by inventorying industrial protocols in your environment and assessing their security implications. Focus on understanding normal protocol behaviors before implementing detection and protection measures.

If you need help securing industrial protocols in your OT environment, let’s talk. We specialize in practical industrial cybersecurity that protects operations while maintaining the reliability and performance your business depends on.

The industrial protocols running your operations weren’t built for today’s threat landscape – but with the right approach, you can secure them effectively.

Updated:

You may also enjoy