Rockwell Automation
Hardware that is widely used to control equipment in factories and other industrial establishments can be remotely managed using a custom vulnerability with a severity score of 10 out of 10.
The vulnerability exists in Rockwell Automation’s programmable logic controllers, which are marketed under the Logix brand. These devices, ranging from the size of a small toaster to a large toaster or even larger, help control equipment and processes on assembly lines and in other manufacturing environments. Engineers program the PLCs using Rockwell software called Studio 5000 Logix Designer.
The U.S. Cybersecurity & Infrastructure Security Administration on Thursday warned of a critical vulnerability that could allow remote hackers to connect to Logix controllers and modify their configuration or application code from there. The vulnerability requires a low skill level to be exploited, CISA said.
The vulnerability, which is tracked as CVE-2021-22681, is due to the Studio 5000 Logix Designer software that enables hackers to extract a secret encryption key. This key is hard-coded in both Logix controllers and engineering stations and confirms the communication between the two devices. A hacker who obtained the key can mimic an engineering workstation and manipulate PLC code or configurations that affect a direct production process.
“Any affected Rockwell Logix controller exposed on the Internet is potentially vulnerable and exploitable,” said Sharon Brizinov, lead researcher on Claroty’s vulnerability. “To successfully exploit this vulnerability, an attacker must first obtain the secret key and have knowledge of the cryptographic algorithm used in the verification process.”
Brizinov said Claroty notified Rockwell in 2019 of the vulnerability. Rockwell only announced it Thursday. Rockwell also attributed the researchers from Kaspersky Lab and Soonchunhyang University, Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh and Kangbin Yim.
The vulnerability affects almost every Logix PLC Rockwell sold, including:
- CompactLogix 1768
- CompactLogix 1769
- CompactLogix 5370
- CompactLogix 5380
- CompactLogix 5480
- ControlLogix 5550
- ControlLogix 5560
- ControlLogix 5570
- ControlLogix 5580
- DriveLogix 5560
- DriveLogix 5730
- DriveLogix 1794-L34
- Compact GuardLogix 5370
- Compact GuardLogix 5380
- GuardLogix 5570
- GuardLogix 5580
- SoftLogix 5800
Rockwell does not issue a patch that directly addresses the issues arising from the hardcode key. Instead, the company recommends that PLC users follow specific risk mitigation steps. The steps involve activating the control mode switch, and if this is not possible, follow other recommendations specific to each PLC model.
These steps are set out in an advice that Rockwell makes available to clients, as well as in the above CISA advice. Rockwell and CISA also recommend that PLC users follow standard security advice. The most important of the recommendations is to ensure that control system devices are not accessible from the internet.
Security professionals warn engineers to put critical industrial systems behind a firewall so that they are not exposed to the Internet. Unfortunately, engineers who struggle with high workloads and limited budgets often do not heed the advice. The latest recollection of this came earlier this month when a municipal water treatment plant in Florida said an intruder had access to a remote system and was trying to dump drinking water with lye. Plant employees used the same TeamViewer password and did not place the system behind a firewall.
If Logix PLC users segment industrial control networks and follow other best practices, the risk posed by CVE-2021-22681 is likely to be minimal. And if people did not apply these practices, hackers would probably have easier ways to hijack the devices. That said, this vulnerability is serious enough that all Logix PLC users should heed the CISA and Rockwell advice.
Claroty published his own writing here.