An Overview of CISA’s ICSA-21-056-03 Advisory for Rockwell Automation Logix Controllers

What Is CISA’s ICSA-21-056-03 Advisory?

On February 25, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released an ICS Advisory (ICSA-21-056-03) related to vulnerabilities in Rockwell Automation Logix Controllers. The issue is related to insufficient protection of credentials and states that, “successful exploitation of this vulnerability could allow a remote unauthenticated attacker to bypass the verification mechanism and connect with Logix controllers. Additionally, this vulnerability could enable an unauthorized third-party tool to alter the controller’s configuration and/or application code.”

Apparently, this flaw was discovered in 2019, but was only announced last week. That leaves a lot of time for a hacker to exploit the vulnerability. However, the good news is that there is no evidence at the time of this writing that this vulnerability was exploited. The affected Rockwell products include:

Software

• RSLogix 5000: Versions 16 through 20
• Studio 5000 Logix Designer: Versions 21 and later

Controllers

• CompactLogix 1768
• CompactLogix 1769
• CompactLogix 5370
• CompactLogix 5380
• CompactLogix 5480
• ControlLogix 5550
• ControlLogix 5560
• ControlLogix 5570
• ControlLogix 5580
• DriveLogix 5560
• DriveLogix 5730
• DriveLogix 1794-L34
• Compact GuardLogix 5370
• Compact GuardLogix 5380
• GuardLogix 5570
• GuardLogix 5580
• SoftLogix 5800

Mitigating Risk from ICSA-21-056-03

Rockwell has recommended a set of mitigation strategies specific to the affected products, but they also provide more generic advice about ICS security best practices such as implementing a defense-in-depth strategy and using network segmentation and security controls to prevent intrusions. One recommendation is for users to “detect changes to configuration or application files.” This highlights a critical security challenge for many security products that are targeted for the IT market. The primary focus of IT security tools is on supporting widely used operating systems, such as Windows and Linux variations, with a large installed base. They don’t have the expertise or experience to support the many different vendors and products that are widely used in the OT market, such as Rockwell products. Therefore, a typical IT security tool won’t have the ability to provide the necessary change configuration information for these types of PLC devices. If you are using an OT-focused security tool, it will likely either already have support for these types of PLC’s, or have the infrastructure and capability to provide support when needed.

To Our Customers

• Industrial Defender can tell you if any of these impacted devices are in your systems and whether they are running the firmware versions at risk.
• Industrial Defender monitors the change log on the HMI to detect changes to device configuration or application files.
• If there are PLCs that are not in “Run” mode (i.e., someone left the PLC in “Remote Mode”), this is a physical switch in the device that Industrial Defender monitors and allows remote update/control of the PLC.
• For those who have a Vulnerability Monitoring subscription, you can search for this CVE to find any affected devices.