IT Mandate: Disable SNMP on ControlLogix processors

TConnolly · May 31, 2011

I got the following request from IT as a result of a vulnerability scan they performed.

Issue: SNMP Service

Solution: Disable the SNMP service on the remote host if you do not use it, filter incoming UDP packets going to this port, or change the default community string.

Then they gave me a list of IP addresses, all of which are for ControlLogix 1756-ENBT/A or 1756-ENBT/B modules and one CompactLogix L35E. None of the 1756-EN2T modules are affected.

I can't see anything even remotely resembling SNMP service settings in the module configuration tools - any suggestions?

OkiePC · May 31, 2011

Found this with a Google search, but have not explored it.

http://rockwellautomation.custhelp.com/app/answers/detail/a_id/34413/kw/34413

Paul

Ken Roach · May 31, 2011

I went through a lot of fire-drills on this issue almost a decade ago:

http://www.cert.org/advisories/CA-2002-03.html

The simple answer is that there's no risk in SNMP with these devices; since they are not IP network gateways there's no ability for an attacker to bridge through them.

If you need to change the default passwords, there's a good RA technote that describes using the common utility GETIF to change the various community passwords.

http://rockwellautomation.custhelp.com/app/answers/detail/a_id/34413

I don't think SNMP can be disabled on these modules.

The right way to approach these issues is what it sounds like they're doing: good perimeter defenses, baseline understanding of interior network requirements, and vigilant monitoring.

bernie_carlton · May 31, 2011

And I think 21334 addresses this issue more directly.

IT Mandate: Disable SNMP on ControlLogix processors

TConnolly

Lifetime Supporting Member

OkiePC

Lifetime Supporting Member

Ken Roach

Lifetime Supporting Member + Moderator

bernie_carlton

Lifetime Supporting Member + Moderator

Similar Topics