Rockwell Automation: Disconnect OT Devices with Public-Facing Internet Access, Patch or Mitigate Logix, FactoryTalk CVEs

Rockwell Automation: Disconnect OT Devices with Public-Facing Internet Access, Patch or Mitigate Logix, FactoryTalk CVEs


An advisory from Rockwell Automation reiterates the importance of disconnecting operational technology devices with public-facing internet access and patching and mitigating systems vulnerable to several flaws.

Background

On May 21, Rockwell Automation published an advisory (SD1672) to provide guidance to customers on best practices to protect operational technology (OT) devices.

Details

For over a decade, reports have shown that OT devices, including controllers, HMI’s (Human Machine Interfaces) and Supervisory Control and Data Acquisition (SCADA) devices, have been at risk of exposure through search engines like Shodan. These OT devices have been fingerprinted by Shodan because they are public facing and internet-accessible, allowing them to be indexed by such search engines. This allows a variety of users, including security researchers and threat actors to search for and obtain information about such devices. Public facing controllers without security controls, such as those without authentication enabled, may be altered or programmed by a remote attacker possessing the correct software, even without a vulnerability to exploit.

The warnings about the exposure of such devices have been repeated since 2014, when the Cybersecurity and Infrastructure Security Agency (CISA) issued an ICS Alert (ICS-ALERT-10-301-01) about the threat posed by the discoverability of these devices. This message was reiterated once again in 2018 as part of ICS-ALERT-11-343-01A.

Most SCADA/OT systems should not be internet accessible

Due to their critical nature, most OT systems should not be public-facing and internet-accessible. The only instances whereby such devices should be accessible are those that were designed to enable external connectivity. Segmentation of these environments is strongly suggested, and users can reference ISA/IEC 62443 Series of Standards for best practices.

COVID-19 and lockdowns required remote access

We know in 2020, the COVID-19 pandemic required organizations to allow for remote access to internal networks. This need also came at the cost of expanding the attack surface, which included the provisioning of OT systems for remote access. Many times these remote access capabilities were deployed with speed and ease of use over security. This includes cellular modems, 4G/5G, dial-up, or dedicated internet lines, which are common for original equipment manufacturers (OEMs) and vendors to monitor and access equipment.

OT devices are becoming a greater target for attackers

In recent years, OT devices have increasingly become a target for attack by a variety of threat actors, such as ransomware groups and affiliates, hacktivists and nation-state cyber criminals linked to Iran and China. In Early May, several U.S. agencies including CISA, issued an advisory about Pro-Russian hacktivist activity targeting OT environments. This links back to part of the catalyst for Rockwell Automation’s advisory, which noted the “heightened geopolitical tensions and adversarial cyber activity globally.”

Seven Vulnerabilities Highlighted in Rockwell Automation Advisory

As part of its advisory, Rockwell Automation highlighted seven CVEs in various products including flaws in its Logix Controllers and Logix Designer, Communication Modules and FactoryTalk.

CVE Description CVSSv3 Affected Equipment
CVE-2021-22681 Rockwell Automation Insufficiently Protected Credentials Vulnerability 10.0 Studio 5000 Logix Designer, RSLogix 5000, Logix Controllers
CVE-2022-1159 Rockwell Automation Code Injection Vulnerability 7.7 Studio 5000 Logix Designer
CVE-2023-3595 Rockwell Automation Remote Code Execution Vulnerability 9.8 Allen-Bradley ControlLogix Communication Modules
CVE-2023-46290 Rockwell Automation Improper Authentication Vulnerability 8.1 FactoryTalk Services Platform
CVE-2024-21914 Rockwell Automation Cross-Site Scripting (XSS) Vulnerability 5.3 FactoryTalk View Machine Edition (ME)
CVE-2024-21915 Rockwell Automation Incorrect Execution-Assigned Permissions Vulnerability 9.0 FactoryTalk Service Platform
CVE-2024-21917 Rockwell Automation Improper Verification of Cryptographic Signature Vulnerability 9.8 FactoryTalk Service Platform

No specific exploit intelligence is available for these flaws. However, Rockwell Automation highlighted CVE-2023-3595, a remote code execution vulnerability in the Allen-Bradley ControlLogix Communication Modules, in July 2023.

Solution

The most important takeaway from Rockwell Automation’s advisory and the repeated advice surrounding OT devices remains the same: disconnect internet-accessible OT devices unless they were designed to be enabled for such access.

If such devices do require remote access, ensure they are properly configured behind firewalls and isolated from business critical networks. Limit administrator access and ensure accounts have only the required permissions. Use strong, unique passwords for accounts and ensure all default-passwords have been changed. Enable multifactor authentication (MFA) on accounts where possible. Standardize on a secure remote access platform for OT with audit and logging capabilities to ensure access is being utilized properly.

Identifying affected systems

To identify internet facing OT systems using Nessus plugins, please review the plugins listed on this page.

Additionally, Tenable customers can use the plugins from these two links to conduct credentialed or agent scans to identify OT assets

A list of Tenable plugins for the vulnerabilities referenced in this blog post can be found on the individual CVE pages:

Please note that there is no plugin coverage for CVE-2024-21914.

These links display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.



Source link
lol

An advisory from Rockwell Automation reiterates the importance of disconnecting operational technology devices with public-facing internet access and patching and mitigating systems vulnerable to several flaws. Background On May 21, Rockwell Automation published an advisory (SD1672) to provide guidance to customers on best practices to protect operational technology (OT) devices. Details For over a decade,…

Leave a Reply

Your email address will not be published. Required fields are marked *