Rockwell security vulnerability

Should it happen? No. But, stupid is as stupid does.

It’s been discussed on here before but the “S” in IOT stands for security.
 
I just got an email from RA about it


KB article says to put the key switches in RUN as there's nothing that can be done. [don't have the email at home or the KB#, but it was Level:Everyone]



Going to have to be firmware updates for every version of the entire family.
 
Are you folks using factory talk security anyways? I integrated that into my plant a year ago and whenever I talk to external controls engineers I find that this feature isn't used in the first place...
 
I just got an email from RA about it


KB article says to put the key switches in RUN as there's nothing that can be done. [don't have the email at home or the KB#, but it was Level:Everyone]



Going to have to be firmware updates for every version of the entire family.

Isn't following NIST standards negate the security risk, also if your production network has internet access you're already WAY behind.
 
also if your production network has internet access you're already WAY behind.


I have customers that demand immediate online diagnosis, and programming sometimes.


The number of CLX PLC's out there that are not going to be disconnected, put in Run mode and probably not get a firmware update has to be staggering - and mouth-watering to a hacker.


Friday I told one customer about this (that has a CLX run line online & keeping it that way) and he said hackers only go after the big guys and military or government sites. I told him those sites are pretty well protected and hackers do like to test their skill on small, unimportant targets.
 
I have customers that demand immediate online diagnosis, and programming sometimes.


Were you authenticating yourself with factorytalk security when you remotely logged on in the first place? I know this has a 10/10 on the vulnerability scale, but barely anyone I know uses these featureset in the first place, especially small businesses are far from being able to do it at all, because of a lack of server infrastructure and assetcenter cost being restrictive.
 
Last edited:
I have customers that demand immediate online diagnosis, and programming sometimes.


The number of CLX PLC's out there that are not going to be disconnected, put in Run mode and probably not get a firmware update has to be staggering - and mouth-watering to a hacker.


Friday I told one customer about this (that has a CLX run line online & keeping it that way) and he said hackers only go after the big guys and military or government sites. I told him those sites are pretty well protected and hackers do like to test their skill on small, unimportant targets.

I would just make sure you have it documented that you told them what they need to do. Because if they get taken out, they will see you as the problem not the person that told them it was an issue. When doing R&D I always had them disconnect the physical ethernet connection but it was internal project through a vpn to a remote workstation.
 
CVSS v3.1 Base Score: 10.0/CRITICAL

Yeah, got an email on this last week. Wasn't sure whether to share it publicly but here we are. Rockwell, what a clustersmuck you can be?...

ID: PN1550 | Access Levels: Everyone
Authentication Bypass Vulnerability Found in Logix Controllers

Definitely agree with Saffa. At a minimum, no industrial based controllers should be outwardly facing the Wicked World Web. Defense in Depth approach is a must really. The more layers the less likely they are to persist in trying to reach these controllers.

G.
 
I saw this on ars technica:

https://arstechnica.com/information...ogix-plcs-has-severity-score-of-10-out-of-10/

and I was like, so? If you put the PLC on the internet without protection you are already in trouble and like other mentioned, very few people use FT security.

btw. My personal philosophy is that if a remote connection have the ability to change programming then there need to be an "analog" verification steps like physically throw a switch or connect a cable on-site.
 
I would just make sure you have it documented that you told them what they need to do. Because if they get taken out, they will see you as the problem not the person that told them it was an issue. When doing R&D I always had them disconnect the physical ethernet connection but it was internal project through a vpn to a remote workstation.

Did that C.Y.A.

Thanks for the suggestion
 
btw. My personal philosophy is that if a remote connection have the ability to change programming then there need to be an "analog" verification steps like physically throw a switch or connect a cable on-site.

The VPN/Remote Connection best practice that I've always seen is to have a key switch that enables/disables the remote connectivity. Best method is to use an input on the VPN device configured to only enable the VPN when input is on. 2nd best method is the brute force cut power to VPN device unless it is needed. Bad option is to send the pairs of the ethernet cable through a relay; that can add noise/etc.

I've also seen a pushbutton going to a PLC which then starts a timer and sends a signal via an output to do one of the above.

Seems to strike a good balance between "OEM can support" and "End User is in control".
 

Similar Topics

Is anyone aware of any recent Rockwell Software security issues that require version upgrades to mitigate? I'm talking over the past 2 months.
Replies
1
Views
702
Any other integrators out there asked to deal with these issues? "CISA encourages users and administrators to review ICSA-22-090-05: Rockwell...
Replies
1
Views
1,030
Hello PLC people. I need help regarding an error i am getting while trying to open an rslogix 5000 code v16.4. I am running studio 5000 also...
Replies
0
Views
1,596
Downloaded RS Logix 500 , now cannot open Rockwell Software"Error Logging Security" I have RS Logix 5000 and Factory Talk View Studio , and it...
Replies
7
Views
10,448
Hi!! I'm looking for Temperature rise calculation software from Rockwell, I just download "Product selection toolbox 2022" but this software is...
Replies
0
Views
71
Back
Top Bottom