Rockwell Controllers VulnerableFlaw Could Enable Access to Secret Encryption Key
A critical authentication bypass vulnerability could enable hackers to remotely compromise programmable logic controllers made by industrial automation giant Rockwell Automation, according to the cybersecurity company Claroty.
See Also: OnDemand | Transforming Third Party Risk
The Industrial Control System Cyber Emergency Response Team - ICS-CERT - issued an advisory describing the vulnerability as requiring a low skill level to exploit. The advisory spells out risk mitigation advice provided by Rockwell.
"As part of our commitment to transparency and to protecting our customers’ security, we have publicly disclosed a vulnerability in the licensing mechanisms in our design software that may impact our controller products," says Marcelline Pelzer, a Rockwell Automation spokesperson. "Our disclosure also outlines the actions our customers can take to mitigate risk. At this time, we have no knowledge of this vulnerability being exploited."
Encryption Key Vulnerable
The severe vulnerability, which is tracked as CVE-2021-22681 and has a CVSS score of 10.0, affects Studio 5000 Logix Designer, RSLogix 5000 and many Logix controllers from Rockwell. If exploited, hackers can use it to extract a secret encryption key.
Using such a key could enable hackers to remotely connect to almost any of the company’s Logix programmable logic controllers and upload malicious code, download information from the PLC or install new firmware, the Claroty researchers say.
The Rockwell PLCs are widely used in multiple industries, ranging from small, simple implementations to larger control system deployments, Claroty notes. So the risks posed by the flaw are variable.
"The vulnerability lies in the fact that Studio 5000 Logix Designer software may allow a secret cryptographic key to be discovered," says Sharon Brizinov, principal vulnerability researcher at Claroty. "This key is used to verify communication between Rockwell Logix controllers and their engineering stations. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass this verification mechanism and connect to Logix controllers."
Paul Baird, chief technical security officer for the U.K. at Qualys, says that the vulnerability is so severe that it could pave the way for a hacker to destroy expensive industrial assets or risk the lives of those who work at manufacturing plants.
"Tracking PLC components to fix the problem will be hard, as many organizations don’t have full asset lists that are accurate and up to date that are shared with the IT security team," he says. "It is hard enough to enforce security and updates when IT teams track endpoints that are continuously connected to IP networks, but these assets can be implemented without the necessary management and asset control side in place and they may not be on the same networks. Getting a full picture of every operational technology asset with PLCs included is, therefore, going to take time for many teams."
If a hacker obtained a secret encryption key, they could use it to authenticate to any Rockwell Logix controller, Brizinov states. "These secret keys digitally sign all communication with the Rockwell PLCs; the PLCs verify the signature and authorize communication between it and the Rockwell engineering software," he says.
The key can help attackers mimic a workstation and manipulate configurations or code running on the PLC and directly affect a manufacturing process, Brizinov adds.
Operational technology tends to be a lower priority for security, Baird says. He recommends that manufacturers "centralize visibility of IT and OT issues" so they can "see everything in one place and manage risk more effectively."
Claroty researchers note that they had privately disclosed the flaw to Rockwell in 2019. Researchers from South Korea’s Soonchunhyang University’s Lab of Information Systems Security Assurance and Kaspersky Lab were also credited by ICS-CERT as having independently discovered the vulnerability.
Mitigating the Risk
Rockwell recommends putting the controller’s mode switch in “run” mode and deploying CIP Security for Logix Designer connections, which prevents unauthorized connections when properly deployed. Rockwell also recommends blunting the effects of this vulnerability by starting with proper network segmentation and security controls, such as minimizing exposure of control systems to the network or the internet.
"Control systems should be behind firewalls and isolated from other networks whenever feasible. Secure remote access is also suggested; at a minimum, using a VPN to connect to a device," Rockwell advises.
An ICS-CERT advisory includes all Rockwell mitigation advice, including several recommendations for each product family and version. It also recommends various detection methods to use if users suspect configurations have been modified.
"You should formalize your processes for patching these kinds of issues, just as you have for IT assets – in fact, this is more important for companies that run 24/7 operations that have no downtime windows for patching," Baird says. "Lastly, you should encourage your OT technical team to work with IT security, so both teams can present a united front when it comes to the importance of patching any vulnerability."