The Cybersecurity & Infrastructure Security Agency (CISA) issued ICS Advisory 21-056-03 on February 25, regarding Rockwell Automation Logix controllers and software. Rockwell Automation says it has taken proactive steps in conjunction with the CISA to mitigate any risks.
The risk evaluation cites that successful exploitation of insufficiently protected credentials could allow a remote unauthenticated attacker to bypass the verification mechanism and connect with Logix controllers. Additionally, this vulnerability could enable an unauthorized third-party tool to alter the controller’s configuration and/or application code.
"Rockwell Automation has worked closely with and in coordination with CISA and the researchers as part of our standard coordinated vulnerability disclosure process," says Marci Pelzer, director, global external communications, at Rockwell Automation.
Rockwell Automation has determined that this vulnerability cannot be mitigated with a patch, and it encourages customers to implement the mitigation strategies outlined in its February 25 disclosure:
- Deploy contemporary TLS and DTLS based secure communications features to supported products. This feature, known as CIP Security, is an enhancement to the ODVA EtherNet/IP industrial communication standard and directly addresses the vulnerability noted in the disclosure. CIP Security allows for users to leverage and manage certificates and/or pre-shared keys.
- Leverage the key switch available on Rockwell Automation controllers by placing controllers in Run Mode to prevent unauthorized user program or configuration changes.
- Customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized and control systems should be behind firewalls and isolated from other networks when possible.
"The most up-to-date information can always be found in our Rockwell Automation Industrial Security Advisory index,” explains Pelzer. “We will always coordinate and work with CISA to provide the latest information when possible." A link to the CISA ICS advisory can be found here.