Rockwell Automation Urges Customers to Disconnect ICS From Internet
Rockwell Automation has issued a security notice urging customers to ensure that their industrial control systems (ICS) are not connected to the internet and exposed to cyber threats.
The industrial automation giant has told customers to take ‘immediate’ action and check whether any devices that are not specifically designed for public connectivity are exposed to the web.
A Shodan search for ‘Rockwell’ currently returns more than 7,000 results, including thousands of what appear to be Allen-Bradley programmable logic controllers (PLCs).
The company is concerned about potential attacks “due to heightened geopolitical tensions and adversarial cyber activity globally”.
“Consistent with Rockwell Automation’s guidance for all devices not specifically designed for public internet connectivity (for example, cloud and edge offerings), users should never configure their assets to be directly connected to the public-facing internet,” Rockwell said. “Removing that connectivity as a proactive step reduces attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors.”
The company’s advisory links to several relevant resources, including guidance and best practices.
Rockwell’s advisory highlights several vulnerabilities found and patched in recent years, including CVE-2021-22681, CVE-2022-1159, CVE-2023-3595 and CVE-2023-3596, CVE-2023-46290, CVE-2024-21914, CVE-2024-21915, and CVE-2024-21917.
These flaws can allow hackers to conduct DoS attacks, escalate privileges, modify settings, remotely compromise PLCs, and even conduct Stuxnet-style attacks.
The discovery of exploits targeting CVE-2023-3595 and CVE-2023-3596 suggests that threat actors, particularly APT groups, have set their sights on Rockwell industrial products and have at least attempted to exploit Rockwell product vulnerabilities. However, there are no confirmed reports of actual attacks.
The US cybersecurity agency CISA has also posted an alert to bring attention to Rockwell’s notice.
Share This Story, Choose Your Platform!
About the Author: Patriotman
One Comment
Comments are closed.
GUNS N GEAR
FWIW… Siemens Scalance switches and their devices, such as S7-1500s and S7-1200s have similar vulnerabilities. This isn’t just limited to Rockwell and their processors or Stratix switches.
The thing is, Rockwell usually releases patches that fix quite a few of their issues, such as if you DDoS’d a PLC (provided you could get on the same net, or the facility was stupid enough to have it facing the public internet) you’d cause it to have a failure that could potentially wipe the project from the memory. No one updates them, and Rockwell doesn’t really communicate them well at all.
There was also another interesting vulnerability where threat actors were using home rolled verisons of VNC to remotely access HMIs that were placed on the public internet. With something like a PanelView you have to enable VNC, it’s not enabled by default. So, a lot of the time, in the interest of instant access… plants will just enable VNC on a PanelView with no password. That’s right. You just VNC right into the HMI and start changing values or actuating the buttons.
If you had any idea of the legacy, outdated PLC 5 and SLC 500s that are still being used. Seriously. Factories do not upgrade their shit at all. AT ALL. Rockwell doesn’t help their cause by charging insane prices for their hardware and licensing, then removing support for legacy products to try to force the customer to upgrade. The customer usually chooses the other choice, just sit on it.
The legacy hardware is a huge issue because if the project was never backed up, and some chicanery happens where say a PLC 5 processor gets wiped… bye bye critical infrastructure.