PN359 | Firmware Upgrade Security Notice: Comment on DHS Communication (Control Systems Vulnerability in Multiple Sectors)

Introduction

Description

Rockwell Automation recognizes the importance of information and control system security to our customers. We are committed to working with government agencies and standards development organizations to develop solutions targeted to help our customers improve their overall system security strategy.

As part of this effort, the Idaho National Laboratory (INL) Control Systems Security Program, under contract to the Department of Homeland Security (DHS), identified a potential security concern within the firmware upgrade process used in control systems deployed in Critical Infrastructure and Key Resources (CIKR). DHS has confirmed that the firmware upgrade process can be intentionally manipulated in a manner that has potential to render the device inoperable and cause a disruption to the process and/or system operation.

Rockwell Automation has been working in partnership with DHS to identify potential short-term and long-term mitigation strategies.

As a result, Rockwell Automation is implementing a policy to digitally sign most firmware images and require contemporary devices to validate this signature before applying a firmware upgrade. Over time, many contemporary Rockwell Automation products will include this signature validation mechanism to help ensure firmware integrity and authenticity.

The following Rockwell Automation products currently authenticate firmware using digital signatures:

• ControlLogix 1756-L72, L73, L74, L75 Programmable Automation Controllers
• Virtual firmware of the 1789 SoftLogix PC based controllers

For other devices, to help reduce the likelihood of the upgrade process being exploited and help reduce associated security risk, Rockwell Automation and DHS recommend the following short-term mitigation strategies (Note: multiple strategies can be employed simultaneously):

1. Disable where possible the capability to perform remote firmware upgrades over a network to a controller by placing the controller key switch into RUN mode. This prevents the Allen-Bradley brand controllers from accepting firmware upgrades.
   
2. Restrict physical and electronic access to automation networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
   
3. Restrict firmware upgrades to the local ControlNetwork or direct (point-to-point) physical methods only by physically or electronically isolating target devices from any larger system while performing a firmware upgrade.
   
4. Temporarily remove unnecessary network connections to the device before administering a firmware upgrade. Reactivate device-specific security measures and replace network connections only after a successful firmware upgrade.
   
5. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
   
6. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks.

Rockwell Automation is currently investigating additional long-term mitigation strategies that include, but are not limited to:

1. Additional techniques to verify the authenticity of firmware updates to help reduce the likelihood of file tampering.
   
2. Enhancements to the joint Rockwell Automation / Cisco Plantwide Reference Architecture that detail methods and recommendations which can further strengthen control system security.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

Reference http://www.ab.com/networks/architectures.html for comprehensive information about improving your control system to implement validated architectures designed to deliver layered-security and defense-in-depth.

KCS Status