Hardware that is extensively utilized to regulate tools in manufacturing facilities as well as various other commercial setups can be from another location commandeered by manipulating a recently revealed susceptability that has a seriousness rating of 10 out of 10.
The susceptability is discovered in programmable reasoning controllers from Rockwell Automation that are marketed under the Logix brand name. These tools, which vary from the dimension of a tiny toaster oven to a huge bread box or perhaps larger, assist regulate tools as well as procedures on production line as well as in various other making atmospheres. Engineers program the PLCs utilizing Rockwell software program called Studio 5000 Logix Designer.
On Thursday, the United States Cybersecurity & Infrastructure Security Administration advised of a crucial susceptability that can enable cyberpunks to from another location attach to Logix controllers as well as from there modify their arrangement or application code. The susceptability calls for a reduced ability degree to be manipulated, CISA stated.
The susceptability, which is tracked as CVE-2021-22681, is the outcome of the Studio 5000 Logix Designer software program making it feasible for cyberpunks to draw out a secret security trick. This trick is hard-coded right into both Logix controllers as well as design terminals as well as validates interaction in between both tools. A cyberpunk that acquired the trick can after that resemble a design workstation as well as control PLC code or setups that straight influence a production procedure.
“Any affected Rockwell Logix controller that is exposed on the Internet is potentially vulnerable and exploitable,” stated Sharon Brizinov, primary susceptability scientist at Claroty, among 3 companies Rockwell attributed with individually finding the problem. “To successfully exploit this vulnerability, an attacker must first obtain the secret key and have the knowledge of the cryptographic algorithm being used in the authentication process.”
Brizinov stated that Claroty informed Rockwell of the susceptability in 2019. Rockwell didn’t disclose it until Thursday. Rockwell also credited Kaspersky Lab and Soonchunhyang University researchers Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, and Kangbin Yim.
The vulnerability affects just about every Logix PLC Rockwell sells, including:
- CompactLogix 1768
- CompactLogix 1769
- CompactLogix 5370
- CompactLogix 5380
- CompactLogix 5480
- ControlLogix 5550
- ControlLogix 5560
- ControlLogix 5570
- ControlLogix 5580
- DriveLogix 5560
- DriveLogix 5730
- DriveLogix 1794-L34
- Compact GuardLogix 5370
- Compact GuardLogix 5380
- GuardLogix 5570
- GuardLogix 5580
- SoftLogix 5800
Rockwell isn’t issuing a patch that directly addresses the problems stemming from the hard-coded key. Instead, the company is recommending that PLC users follow specific risk mitigation steps. The steps involve putting the controller mode switch into run, and if that’s not possible, following other recommendations that are specific to each PLC model.
Those steps are laid out in an advisory Rockwell is making available to customers, as well as in the above-linked CISA advisory. Rockwell and CISA also recommend PLC users follow standard security-in-depth security advice. Chief among the recommendations is ensuring that control system devices aren’t accessible from the Internet.
Security professionals universally admonish engineers to place critical industrial systems behind a firewall so they aren’t exposed to the Internet. Unfortunately, engineers struggling with high workloads and limited budgets often don’t heed the advice. The latest reminder of this came earlier this month when a municipal water treatment plant in Florida said that an intruder accessed a remote system and tried to lace drinking water with lye. Plant employees used the same TeamViewer password and really did not put the system behind a firewall.
If Logix PLC users are segmenting industrial control networks as well as following other best practices, it’s likely that the risk posed by CVE-2021-22681 is minimal. And if people haven’t implemented these practices, hackers probably have easier ways to hijack the devices. That said, this vulnerability is serious enough that all Logix PLC users should pay attention to the CISA as well as Rockwell advisories.
Claroty has actually provided its very own writeup below.