On February 25, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released an ICS Advisory (ICSA-21-056-03) related to vulnerabilities in Rockwell Automation Logix Controllers. The issue is related to insufficient protection of credentials and states that, “successful exploitation of this vulnerability could allow a remote unauthenticated attacker to bypass the verification mechanism and connect with Logix controllers. Additionally, this vulnerability could enable an unauthorized third-party tool to alter the controller’s configuration and/or application code.”
Apparently, this flaw was discovered in 2019, but was only announced last week. That leaves a lot of time for a hacker to exploit the vulnerability. However, the good news is that there is no evidence at the time of this writing that this vulnerability was exploited. The affected Rockwell products include:
Rockwell has recommended a set of mitigation strategies specific to the affected products, but they also provide more generic advice about ICS security best practices such as implementing a defense-in-depth strategy and using network segmentation and security controls to prevent intrusions. One recommendation is for users to “detect changes to configuration or application files.” This highlights a critical security challenge for many security products that are targeted for the IT market. The primary focus of IT security tools is on supporting widely used operating systems, such as Windows and Linux variations, with a large installed base. They don’t have the expertise or experience to support the many different vendors and products that are widely used in the OT market, such as Rockwell products. Therefore, a typical IT security tool won’t have the ability to provide the necessary change configuration information for these types of PLC devices. If you are using an OT-focused security tool, it will likely either already have support for these types of PLC’s, or have the infrastructure and capability to provide support when needed.