Rockwell Automation: Disconnect OT Devices with Public-Facing Internet Access, Patch or Mitigate Logix, FactoryTalk CVEs

An advisory from Rockwell Automation reiterates the importance of disconnecting operational technology devices with public-facing internet access and patching and mitigating systems vulnerable to several flaws.

Background

On May 21, Rockwell Automation published an advisory (SD1672) to provide guidance to customers on best practices to protect operational technology (OT) devices.

Details

For over a decade, reports have shown that OT devices, including controllers, HMI’s (Human Machine Interfaces) and Supervisory Control and Data Acquisition (SCADA) devices, have been at risk of exposure through search engines like Shodan. These OT devices have been fingerprinted by Shodan because they are public facing and internet-accessible, allowing them to be indexed by such search engines. This allows a variety of users, including security researchers and threat actors to search for and obtain information about such devices. Public facing controllers without security controls, such as those without authentication enabled, may be altered or programmed by a remote attacker possessing the correct software, even without a vulnerability to exploit.

The warnings about the exposure of such devices have been repeated since 2014, when the Cybersecurity and Infrastructure Security Agency (CISA) issued an ICS Alert (ICS-ALERT-10-301-01) about the threat posed by the discoverability of these devices. This message was reiterated once again in 2018 as part of ICS-ALERT-11-343-01A.

Most SCADA/OT systems should not be internet accessible

Due to their critical nature, most OT systems should not be public-facing and internet-accessible. The only instances whereby such devices should be accessible are those that were designed to enable external connectivity. Segmentation of these environments is strongly suggested, and users can reference ISA/IEC 62443 Series of Standards for best practices.

COVID-19 and lockdowns required remote access

We know in 2020, the COVID-19 pandemic required organizations to allow for remote access to internal networks. This need also came at the cost of expanding the attack surface, which included the provisioning of OT systems for remote access. Many times these remote access capabilities were deployed with speed and ease of use over security. This includes cellular modems, 4G/5G, dial-up, or dedicated internet lines, which are common for original equipment manufacturers (OEMs) and vendors to monitor and access equipment.

OT devices are becoming a greater target for attackers

In recent years, OT devices have increasingly become a target for attack by a variety of threat actors, such as ransomware groups and affiliates, hacktivists and nation-state cyber criminals linked to Iran and China. In Early May, several U.S. agencies including CISA, issued an advisory about Pro-Russian hacktivist activity targeting OT environments. This links back to part of the catalyst for Rockwell Automation’s advisory, which noted the “heightened geopolitical tensions and adversarial cyber activity globally.”

Seven Vulnerabilities Highlighted in Rockwell Automation Advisory

As part of its advisory, Rockwell Automation highlighted seven CVEs in various products including flaws in its Logix Controllers and Logix Designer, Communication Modules and FactoryTalk.

No specific exploit intelligence is available for these flaws. However, Rockwell Automation highlighted CVE-2023-3595, a remote code execution vulnerability in the Allen-Bradley ControlLogix Communication Modules, in July 2023.

Solution

The most important takeaway from Rockwell Automation’s advisory and the repeated advice surrounding OT devices remains the same: disconnect internet-accessible OT devices unless they were designed to be enabled for such access.

If such devices do require remote access, ensure they are properly configured behind firewalls and isolated from business critical networks. Limit administrator access and ensure accounts have only the required permissions. Use strong, unique passwords for accounts and ensure all default-passwords have been changed. Enable multifactor authentication (MFA) on accounts where possible. Standardize on a secure remote access platform for OT with audit and logging capabilities to ensure access is being utilized properly.

Identifying affected systems

To identify internet facing OT systems using Nessus plugins, please review the plugins listed on this page.

Additionally, Tenable customers can use the plugins from these two links to conduct credentialed or agent scans to identify OT assets

A list of Tenable plugins for the vulnerabilities referenced in this blog post can be found on the individual CVE pages:

• CVE-2021-22681
• CVE-2022-1159
• CVE-2023-3595
• CVE-2023-46290
• CVE-2024-21915
• CVE-2024-21917

Please note that there is no plugin coverage for CVE-2024-21914.

These links display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

• SD1672 | IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet to Protect from Cyber Threats
• Control System Internet Accessibility
• Control System Internet Accessibility (Update A)-
• CVE-2023-3595, CVE-2023-3596: Rockwell Automation ControlLogix Vulnerabilities Disclosed
• Finding Rockwell Automation Allen-Bradley Communication Modules Affected by CVE-2023-3595 and CVE-2023-3596 in OT Environments
• Checking for ICS Internet Exposure Using Shodan.io
• Logix 5000 Controllers Security

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.