There is a security bypass flaw in the Rockwell PLC/ICS System that could allow an attacker to bypass authentication mechanisms, gaining unauthorized access to the PLCs. This vulnerability primarily affects certain models of Rockwell’s PLCs, which use network protocols and configurations that may be exploited by an attacker, according to recent media reports.
Understanding the Rockwell PLC Security Bypass Vulnerability: Implications and Mitigations
In the realm of industrial control systems (ICS), security vulnerabilities can pose severe risks to operational integrity and safety. A significant security concern recently emerged in the Rockwell Automation Programmable Logic Controllers (PLCs), which are widely used in various industrial sectors. The vulnerability, i
dentified as a security bypass issue, could potentially allow unauthorized access to critical systems, compromising both operational safety and data integrity. The problem has existed since 2021.
Rockwell says that ‘Researchers found that the Studio 5000 Logix Designer® software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.Studio 5000 Logix Designer uses a key to verify Logix controllers are communicating with Rockwell Automation products.
If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with Logix controllers. If exploited, this vulnerability could enable an unauthorized third-party tool to make changes to the controller configuration and/or application code.
Rockwell PLC
Rockwell Automation is a major player in the industrial automation sector offering a wide range of programmable logic controllers (PLCs) that control and monitor machinery and processes. PLCs are integral to the automation efforts of numerous industries, including manufacturing, oil and gas, and energy. Securing Rockwell PLCs is paramount to ensuring the stability and safety of industrial operations.
The PLC Vulnerability
The Rockwell PLC security bypass vulnerability refers to a flaw that could potentially allow an attacker to bypass authentication mechanisms, gaining unauthorized access to the PLCs. This vulnerability primarily affects certain models of Rockwell’s PLCs, which use network protocols and configurations that may be exploited by an attacker.
‘Researchers found that the Studio 5000 Logix Designer® software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.Studio 5000 Logix Designer uses a key to verify Logix controllers are communicating with Rockwell Automation products.
If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with Logix controllers. If exploited, this vulnerability could enable an unauthorized third-party tool to make changes to the controller configuration and/or application code.
The PLC Vulnerability Technical Details
Beyond addressing specific vulnerabilities, adhering to best practices in industrial cybersecurity is essential for maintaining overall system security:
- Implement Defense-in-Depth: Use multiple layers of security measures, such as firewalls, intrusion detection systems, and access controls, to protect industrial networks and systems
- Training and Awareness: Educate personnel about cybersecurity risks and best practices to ensure they are aware of potential threats and how to respond effectively.
- Incident Response Planning: Develop and regularly update an incident response plan to quickly address any security incidents that may arise
To prevent the exposure of critical control systems to unauthorized access over the CIP protocol, site security administrators should apply Rockwell’s patches immediately:
- ControlLogix 5580 (1756-L8z): Update to versions V32.016, V33.015, V34.014, V35.011, and later
- GuardLogix 5580 (1756-L8zS): Update to versions V32.016, V33.015, V34.014, V35.011 and later
- 1756-EN4TR: Update to versions V5.001 and later
- 756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A: Update to version V12.001 and later
The Rockwell PLC security bypass vulnerability underscores the critical importance of cybersecurity in industrial control systems. As industrial environments become increasingly connected and complex, addressing such vulnerabilities proactively is essential to safeguarding operational integrity, safety, and data security. By staying informed about security issues, implementing recommended mitigations, and adhering to best practices, organizations can enhance their resilience against cyber threats and ensure the reliable and secure operation of their industrial control systems. Continuous vigilance and proactive measures are key to navigating the evolving landscape of industrial cybersecurity.
Information from Rockwell can be found:
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1550.html
To read more from our Cybersecurity Blog:v
https://www.topgallant-partners.com
1
